Restrict access to Bluetooth system properties

This removes access to Bluetooth system properties from arbitrary
SELinux domains. Access remains granted to init, bluetooth, and
system_app domains. neverallow rules / CTS enforce that access is not
granted to Zygote and processes spawned from Zygote expcept for
system_app and bluetooth.

The reason is that some of these properties may leak persistent
identifiers not resettable by the user.

Test: Bluetooth pairing and data transfer works
Bug: 33700679
Change-Id: Icdcb3927a423c4011a62942340a498cc1b302472

private/property_contexts

@@ -61,7 +61,9 @@ persist.vendor.overlay.  u:object_r:overlay_prop:s0
 ro.boot.vendor.overlay.  u:object_r:overlay_prop:s0
 ro.boottime.             u:object_r:boottime_prop:s0
 ro.serialno             u:object_r:serialno_prop:s0
+ro.boot.btmacaddr       u:object_r:bluetooth_prop:s0
 ro.boot.serialno        u:object_r:serialno_prop:s0
+ro.bt.                  u:object_r:bluetooth_prop:s0
 
 # Boolean property set by system server upon boot indicating
 # if device owner is provisioned.

public/app.te

@@ -468,3 +468,11 @@ neverallow {
   appdomain
   -shell # bugreport
 } input_device:chr_file ~getattr;
+
+# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# neverallow rules for access to Bluetooth-related data files are above.
+neverallow {
+  appdomain
+  -bluetooth
+  -system_app
+} bluetooth_prop:file create_file_perms;

public/property.te

@@ -1,6 +1,6 @@
 type audio_prop, property_type, core_property_type;
 type boottime_prop, property_type;
-type bluetooth_prop, property_type, core_property_type;
+type bluetooth_prop, property_type;
 type config_prop, property_type, core_property_type;
 type cppreopt_prop, property_type, core_property_type;
 type ctl_bootanim_prop, property_type;
@@ -61,7 +61,6 @@ allow property_type tmpfs:filesystem associate;
 neverallow * {
   core_property_type
   -audio_prop
-  -bluetooth_prop
   -config_prop
   -cppreopt_prop
   -dalvik_prop

public/webview_zygote.te

@@ -102,3 +102,7 @@ neverallow webview_zygote domain:{
   netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
   netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
 } *;
+
+# Do not allow access to Bluetooth-related system properties.
+# neverallow rules for Bluetooth-related data files are listed above.
+neverallow webview_zygote bluetooth_prop:file create_file_perms;

public/zygote.te

@@ -123,3 +123,6 @@ neverallow zygote {
   data_file_type
   -dalvikcache_data_file # map PROT_EXEC
 }:file no_x_file_perms;
+
+# Do not allow access to Bluetooth-related system properties and files
+neverallow zygote bluetooth_prop:file create_file_perms;