# bluetooth subsystem type bluetooth, domain; permissive_or_unconfined(bluetooth) app_domain(bluetooth) # Data file accesses. allow bluetooth bluetooth_data_file:dir create_dir_perms; allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms; # bluetooth factory file accesses. r_dir_file(bluetooth, bluetooth_efs_file) # Device accesses. allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms; # Other domains that can create and use bluetooth sockets. # SELinux does not presently define a specific socket class for # bluetooth sockets, nor does it distinguish among the bluetooth protocols. allow bluetoothdomain self:socket *; # sysfs access. allow bluetooth sysfs_bluetooth_writable:file rw_file_perms; allow bluetooth self:capability net_admin; # Allow clients to use a socket provided by the bluetooth app. allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown }; # tethering allow bluetooth self:{ tun_socket udp_socket } { ioctl create }; allow bluetooth efs_file:dir search; # Talk to init over the property socket. unix_socket_connect(bluetooth, property, init) # proc access. allow bluetooth proc_bluetooth_writable:file rw_file_perms; # bluetooth file transfers allow bluetooth sdcard_internal:dir create_dir_perms; allow bluetooth sdcard_internal:file create_file_perms; # Allow write access to bluetooth specific properties allow bluetooth bluetooth_prop:property_service set; ### ### Neverallow rules ### ### These are things that the bluetooth app should NEVER be able to do ### # Superuser capabilities. # bluetooth requires net_admin. neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;