From 6e4508e625e29f1a782428447de142e96498b5e4 Mon Sep 17 00:00:00 2001 From: Alex Klyubin Date: Tue, 27 Dec 2016 18:05:46 -0800 Subject: [PATCH] Restrict access to Bluetooth system properties This removes access to Bluetooth system properties from arbitrary SELinux domains. Access remains granted to init, bluetooth, and system_app domains. neverallow rules / CTS enforce that access is not granted to Zygote and processes spawned from Zygote expcept for system_app and bluetooth. The reason is that some of these properties may leak persistent identifiers not resettable by the user. Test: Bluetooth pairing and data transfer works Bug: 33700679 Change-Id: Icdcb3927a423c4011a62942340a498cc1b302472 --- private/property_contexts | 2 ++ public/app.te | 8 ++++++++ public/property.te | 3 +-- public/webview_zygote.te | 4 ++++ public/zygote.te | 3 +++ 5 files changed, 18 insertions(+), 2 deletions(-) diff --git a/private/property_contexts b/private/property_contexts index 39e8a8db8..80476cc25 100644 --- a/private/property_contexts +++ b/private/property_contexts @@ -61,7 +61,9 @@ persist.vendor.overlay. u:object_r:overlay_prop:s0 ro.boot.vendor.overlay. u:object_r:overlay_prop:s0 ro.boottime. u:object_r:boottime_prop:s0 ro.serialno u:object_r:serialno_prop:s0 +ro.boot.btmacaddr u:object_r:bluetooth_prop:s0 ro.boot.serialno u:object_r:serialno_prop:s0 +ro.bt. u:object_r:bluetooth_prop:s0 # Boolean property set by system server upon boot indicating # if device owner is provisioned. diff --git a/public/app.te b/public/app.te index 77af57c8c..370f5394b 100644 --- a/public/app.te +++ b/public/app.te @@ -468,3 +468,11 @@ neverallow { appdomain -shell # bugreport } input_device:chr_file ~getattr; + +# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains. +# neverallow rules for access to Bluetooth-related data files are above. +neverallow { + appdomain + -bluetooth + -system_app +} bluetooth_prop:file create_file_perms; diff --git a/public/property.te b/public/property.te index ce5ce2f9b..1bde35c4d 100644 --- a/public/property.te +++ b/public/property.te @@ -1,6 +1,6 @@ type audio_prop, property_type, core_property_type; type boottime_prop, property_type; -type bluetooth_prop, property_type, core_property_type; +type bluetooth_prop, property_type; type config_prop, property_type, core_property_type; type cppreopt_prop, property_type, core_property_type; type ctl_bootanim_prop, property_type; @@ -61,7 +61,6 @@ allow property_type tmpfs:filesystem associate; neverallow * { core_property_type -audio_prop - -bluetooth_prop -config_prop -cppreopt_prop -dalvik_prop diff --git a/public/webview_zygote.te b/public/webview_zygote.te index 71f3f9a3c..93bbbb1ef 100644 --- a/public/webview_zygote.te +++ b/public/webview_zygote.te @@ -102,3 +102,7 @@ neverallow webview_zygote domain:{ netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } *; + +# Do not allow access to Bluetooth-related system properties. +# neverallow rules for Bluetooth-related data files are listed above. +neverallow webview_zygote bluetooth_prop:file create_file_perms; diff --git a/public/zygote.te b/public/zygote.te index aabf12fd4..385be94a3 100644 --- a/public/zygote.te +++ b/public/zygote.te @@ -123,3 +123,6 @@ neverallow zygote { data_file_type -dalvikcache_data_file # map PROT_EXEC }:file no_x_file_perms; + +# Do not allow access to Bluetooth-related system properties and files +neverallow zygote bluetooth_prop:file create_file_perms;