am d7fd22e6: Confine bluetooth app.
* commit 'd7fd22e601293ffae0de2166b226adbae1f7e33e': Confine bluetooth app.
This commit is contained in:
Stephen Smalley
Android Git Automerger
commit
77828e1e80
2 changed files with 47 additions and 2 deletions
1
app.te
1
app.te
|
|
@ -132,7 +132,6 @@ allow appdomain usbaccessory_device:chr_file { read write getattr };
|
|||
# Superuser capabilities.
|
||||
# bluetooth requires net_admin.
|
||||
neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
|
||||
neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
|
||||
neverallow { appdomain -unconfineddomain } self:capability2 *;
|
||||
|
||||
# Block device access.
|
||||
|
|
|
|||
48
bluetooth.te
48
bluetooth.te
|
|
@ -1,4 +1,50 @@
|
|||
# bluetooth subsystem
|
||||
type bluetooth, domain;
|
||||
permissive bluetooth;
|
||||
app_domain(bluetooth)
|
||||
unconfined_domain(bluetooth)
|
||||
|
||||
# Data file accesses.
|
||||
allow bluetooth bluetooth_data_file:dir create_dir_perms;
|
||||
allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
|
||||
|
||||
# bluetooth factory file accesses.
|
||||
r_dir_file(bluetooth, bluetooth_efs_file)
|
||||
|
||||
# Device accesses.
|
||||
allow bluetooth { tun_device uhid_device hci_attach_dev input_device }:chr_file rw_file_perms;
|
||||
|
||||
# Other domains that can create and use bluetooth sockets.
|
||||
# SELinux does not presently define a specific socket class for
|
||||
# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
|
||||
allow bluetoothdomain self:socket *;
|
||||
|
||||
# sysfs access.
|
||||
allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
|
||||
allow bluetooth self:capability net_admin;
|
||||
|
||||
# Allow clients to use a socket provided by the bluetooth app.
|
||||
allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };
|
||||
|
||||
# tethering
|
||||
allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
|
||||
allow bluetooth efs_file:dir search;
|
||||
|
||||
# Talk to init over the property socket.
|
||||
unix_socket_connect(bluetooth, property, init)
|
||||
|
||||
# proc access.
|
||||
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
|
||||
|
||||
# bluetooth file transfers
|
||||
allow bluetooth sdcard_internal:dir create_dir_perms;
|
||||
allow bluetooth sdcard_internal:file create_file_perms;
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
### These are things that the bluetooth app should NEVER be able to do
|
||||
###
|
||||
|
||||
# Superuser capabilities.
|
||||
# bluetooth requires net_admin.
|
||||
neverallow bluetooth self:capability ~net_admin;
|
||||
|
|
|
|||
Loading…
Reference in a new issue