From 801b5ec472ba4fb81e098d321f08a38f4b7375cc Mon Sep 17 00:00:00 2001 From: Alex Klyubin Date: Mon, 6 Feb 2017 15:27:19 -0800 Subject: [PATCH] Move bluetooth policy to private This leaves only the existence of bluetooth domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules to do with bluetooth_current except those created by other domains' allow rules referencing bluetooth domain from public and vendor policy. Bug: 31364497 Change-Id: I3521b74a1a9f6c5a5766b358e944dc5444e3c536 --- private/bluetooth.te | 83 ++++++++++++++++++++++++++++++++++++++++++-- public/bluetooth.te | 77 +--------------------------------------- 2 files changed, 81 insertions(+), 79 deletions(-) diff --git a/private/bluetooth.te b/private/bluetooth.te index 40ce8c166..5ea6027f2 100644 --- a/private/bluetooth.te +++ b/private/bluetooth.te @@ -1,6 +1,83 @@ -# type_transition must be private policy the domain_trans rules could stay -# public, but conceptually should go with this +# bluetooth subsystem + +typeattribute bluetooth domain_deprecated; + +app_domain(bluetooth) +net_domain(bluetooth) + # Socket creation under /data/misc/bluedroid. type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket; -app_domain(bluetooth) +# Allow access to net_admin ioctls +allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls; + +wakelock_use(bluetooth); + +# Data file accesses. +allow bluetooth bluetooth_data_file:dir create_dir_perms; +allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms; +allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms; +allow bluetooth bluetooth_logs_data_file:file create_file_perms; + +# Socket creation under /data/misc/bluedroid. +allow bluetooth bluetooth_socket:sock_file create_file_perms; + +# bluetooth factory file accesses. +r_dir_file(bluetooth, bluetooth_efs_file) + +allow bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms; + +# sysfs access. +r_dir_file(bluetooth, sysfs_type) +allow bluetooth sysfs_bluetooth_writable:file rw_file_perms; +allow bluetooth self:capability net_admin; +allow bluetooth self:capability2 wake_alarm; + +# tethering +allow bluetooth self:packet_socket create_socket_perms_no_ioctl; +allow bluetooth self:capability { net_admin net_raw net_bind_service }; +allow bluetooth self:tun_socket create_socket_perms_no_ioctl; +allow bluetooth tun_device:chr_file rw_file_perms; +allow bluetooth efs_file:dir search; + +# proc access. +allow bluetooth proc_bluetooth_writable:file rw_file_perms; + +# Allow write access to bluetooth specific properties +set_prop(bluetooth, bluetooth_prop) +set_prop(bluetooth, pan_result_prop) + +allow bluetooth audioserver_service:service_manager find; +allow bluetooth bluetooth_service:service_manager find; +allow bluetooth drmserver_service:service_manager find; +allow bluetooth mediaserver_service:service_manager find; +allow bluetooth radio_service:service_manager find; +allow bluetooth surfaceflinger_service:service_manager find; +allow bluetooth app_api_service:service_manager find; +allow bluetooth system_api_service:service_manager find; + +# Bluetooth Sim Access Profile Socket to the RIL +unix_socket_connect(bluetooth, sap_uim, rild) + +# already open bugreport file descriptors may be shared with +# the bluetooth process, from a file in +# /data/data/com.android.shell/files/bugreports/bugreport-*. +allow bluetooth shell_data_file:file read; + +# Perform HwBinder IPC. +hwbinder_use(bluetooth) +binder_call(bluetooth, hal_bluetooth) +binder_call(bluetooth, hal_telephony) + +read_runtime_log_tags(bluetooth) + +### +### Neverallow rules +### +### These are things that the bluetooth app should NEVER be able to do +### + +# Superuser capabilities. +# bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend. +neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service }; +neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend }; diff --git a/public/bluetooth.te b/public/bluetooth.te index eda60de89..9b3442aa5 100644 --- a/public/bluetooth.te +++ b/public/bluetooth.te @@ -1,77 +1,2 @@ # bluetooth subsystem -type bluetooth, domain, domain_deprecated; - -net_domain(bluetooth) -# Allow access to net_admin ioctls -allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls; - -wakelock_use(bluetooth); - -# Data file accesses. -allow bluetooth bluetooth_data_file:dir create_dir_perms; -allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms; -allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms; -allow bluetooth bluetooth_logs_data_file:file create_file_perms; - -# Socket creation under /data/misc/bluedroid. -allow bluetooth bluetooth_socket:sock_file create_file_perms; - -# bluetooth factory file accesses. -r_dir_file(bluetooth, bluetooth_efs_file) - -allow bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms; - -# sysfs access. -r_dir_file(bluetooth, sysfs_type) -allow bluetooth sysfs_bluetooth_writable:file rw_file_perms; -allow bluetooth self:capability net_admin; -allow bluetooth self:capability2 wake_alarm; - -# tethering -allow bluetooth self:packet_socket create_socket_perms_no_ioctl; -allow bluetooth self:capability { net_admin net_raw net_bind_service }; -allow bluetooth self:tun_socket create_socket_perms_no_ioctl; -allow bluetooth tun_device:chr_file rw_file_perms; -allow bluetooth efs_file:dir search; - -# proc access. -allow bluetooth proc_bluetooth_writable:file rw_file_perms; - -# Allow write access to bluetooth specific properties -set_prop(bluetooth, bluetooth_prop) -set_prop(bluetooth, pan_result_prop) - -allow bluetooth audioserver_service:service_manager find; -allow bluetooth bluetooth_service:service_manager find; -allow bluetooth drmserver_service:service_manager find; -allow bluetooth mediaserver_service:service_manager find; -allow bluetooth radio_service:service_manager find; -allow bluetooth surfaceflinger_service:service_manager find; -allow bluetooth app_api_service:service_manager find; -allow bluetooth system_api_service:service_manager find; - -# Bluetooth Sim Access Profile Socket to the RIL -unix_socket_connect(bluetooth, sap_uim, rild) - -# already open bugreport file descriptors may be shared with -# the bluetooth process, from a file in -# /data/data/com.android.shell/files/bugreports/bugreport-*. -allow bluetooth shell_data_file:file read; - -# Perform HwBinder IPC. -hwbinder_use(bluetooth) -binder_call(bluetooth, hal_bluetooth) -binder_call(bluetooth, hal_telephony) - -read_runtime_log_tags(bluetooth) - -### -### Neverallow rules -### -### These are things that the bluetooth app should NEVER be able to do -### - -# Superuser capabilities. -# bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend. -neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service }; -neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend }; +type bluetooth, domain;