From d7fd22e601293ffae0de2166b226adbae1f7e33e Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Tue, 22 Oct 2013 12:56:32 -0400 Subject: [PATCH] Confine bluetooth app. Remove unconfined_domain() from the bluetooth app domain, restore the rules from our policy, and move the neverallow rule for bluetooth capabilities to bluetooth.te. Make the bluetooth domain permissive again until it has received sufficient testing. Change-Id: I3b3072d76e053eefd3d0e883a4fdb7c333bbfc09 Signed-off-by: Stephen Smalley --- app.te | 1 - bluetooth.te | 48 +++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 47 insertions(+), 2 deletions(-) diff --git a/app.te b/app.te index 242e5ab67..7da44450f 100644 --- a/app.te +++ b/app.te @@ -132,7 +132,6 @@ allow appdomain usbaccessory_device:chr_file { read write getattr }; # Superuser capabilities. # bluetooth requires net_admin. neverallow { appdomain -unconfineddomain -bluetooth } self:capability *; -neverallow { bluetooth -unconfineddomain } self:capability ~net_admin; neverallow { appdomain -unconfineddomain } self:capability2 *; # Block device access. diff --git a/bluetooth.te b/bluetooth.te index 72263e3c5..2403a5513 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -1,4 +1,50 @@ # bluetooth subsystem type bluetooth, domain; +permissive bluetooth; app_domain(bluetooth) -unconfined_domain(bluetooth) + +# Data file accesses. +allow bluetooth bluetooth_data_file:dir create_dir_perms; +allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms; + +# bluetooth factory file accesses. +r_dir_file(bluetooth, bluetooth_efs_file) + +# Device accesses. +allow bluetooth { tun_device uhid_device hci_attach_dev input_device }:chr_file rw_file_perms; + +# Other domains that can create and use bluetooth sockets. +# SELinux does not presently define a specific socket class for +# bluetooth sockets, nor does it distinguish among the bluetooth protocols. +allow bluetoothdomain self:socket *; + +# sysfs access. +allow bluetooth sysfs_bluetooth_writable:file rw_file_perms; +allow bluetooth self:capability net_admin; + +# Allow clients to use a socket provided by the bluetooth app. +allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown }; + +# tethering +allow bluetooth self:{ tun_socket udp_socket } { ioctl create }; +allow bluetooth efs_file:dir search; + +# Talk to init over the property socket. +unix_socket_connect(bluetooth, property, init) + +# proc access. +allow bluetooth proc_bluetooth_writable:file rw_file_perms; + +# bluetooth file transfers +allow bluetooth sdcard_internal:dir create_dir_perms; +allow bluetooth sdcard_internal:file create_file_perms; + +### +### Neverallow rules +### +### These are things that the bluetooth app should NEVER be able to do +### + +# Superuser capabilities. +# bluetooth requires net_admin. +neverallow bluetooth self:capability ~net_admin;