tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/bluetooth.te
Stephen Smalley b3c48b66bc Change the type on /dev/uinput to match /dev/uhid. 
/dev/uinput is accessed in the same way as /dev/uhid,
and unlike /dev/input/*.  bluetooth requires access to
the former and not to the latter, while shell requires access
to the latter and not the former.  This is also consistent
with their DAC group ownerships (net_bt_stack for /dev/uinput
and /dev/uhid vs input for /dev/input/*).

Change-Id: I0059d832a7fe036ed888c91e1fb96f3e6e0bd2d4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-31 08:24:49 -07:00

53 lines
1.6 KiB
Text
Raw Blame History

# bluetooth subsystem
type bluetooth, domain;
permissive bluetooth;
app_domain(bluetooth)
# Data file accesses.
allow bluetooth bluetooth_data_file:dir create_dir_perms;
allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
# bluetooth factory file accesses.
r_dir_file(bluetooth, bluetooth_efs_file)
# Device accesses.
allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
# Other domains that can create and use bluetooth sockets.
# SELinux does not presently define a specific socket class for
# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
allow bluetoothdomain self:socket *;
# sysfs access.
allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
allow bluetooth self:capability net_admin;
# Allow clients to use a socket provided by the bluetooth app.
allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };
# tethering
allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
allow bluetooth efs_file:dir search;
# Talk to init over the property socket.
unix_socket_connect(bluetooth, property, init)
# proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
# bluetooth file transfers
allow bluetooth sdcard_internal:dir create_dir_perms;
allow bluetooth sdcard_internal:file create_file_perms;
# Allow write access to bluetooth specific properties
allow bluetooth bluetooth_prop:property_service set;
###
### Neverallow rules
###
### These are things that the bluetooth app should NEVER be able to do
###
# Superuser capabilities.
# bluetooth requires net_admin.
neverallow bluetooth self:capability ~net_admin;
Reference in a new issue View git blame Copy permalink