997680a3b7
Allow bluetooth to handle media_rw_data_file file descriptors
sent to it from other processes. Without this, bluetooth
picture / video sharing is broken.
Steps to reproduce:
1. Take few pictures
2. launch gallery and choose a picture/video and click on share and choose
available BT device and share
Other info from bug report:
- Bluetooth process queries media content provider for a file descriptor,
with an Uri like "content://media/external/images/media/69"
- Media server resolves the uri to a file on the filesystem, in the case of
Gallery at "/storage/emulated/0/DCIM/Camera/IMG_20140128_141656.jpg"
- Media server returns the FD over binder to bluetooth
- Bluetooth is unable to read the file backed by the file descriptor.
Fixes Denial:
<5>[ 821.040286] type=1400 audit(1390952161.805:11): avc: denied { read } for pid=1348 comm="Binder_3" path="/data/media/0/DCIM/Camera/IMG_20140128_141656.jpg" dev="mmcblk0p23" ino=236246 scontext=u:r:bluetooth:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
Bug: 12457805
Change-Id: I1423d06a98416ae4ab19508f0d005a6353acadc4
60 lines
1.9 KiB
Text
60 lines
1.9 KiB
Text
# bluetooth subsystem
|
|
type bluetooth, domain;
|
|
app_domain(bluetooth)
|
|
|
|
# Data file accesses.
|
|
allow bluetooth bluetooth_data_file:dir create_dir_perms;
|
|
allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
|
|
|
|
# Socket creation under /data/misc/bluedroid.
|
|
type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
|
|
allow bluetooth bluetooth_socket:sock_file create_file_perms;
|
|
|
|
# bluetooth factory file accesses.
|
|
r_dir_file(bluetooth, bluetooth_efs_file)
|
|
|
|
# Device accesses.
|
|
allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
|
|
|
|
# Other domains that can create and use bluetooth sockets.
|
|
# SELinux does not presently define a specific socket class for
|
|
# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
|
|
allow bluetoothdomain self:socket *;
|
|
|
|
# sysfs access.
|
|
allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
|
|
allow bluetooth self:capability net_admin;
|
|
|
|
# Allow clients to use a socket provided by the bluetooth app.
|
|
allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };
|
|
|
|
# tethering
|
|
allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
|
|
allow bluetooth efs_file:dir search;
|
|
|
|
# Talk to init over the property socket.
|
|
unix_socket_connect(bluetooth, property, init)
|
|
|
|
# proc access.
|
|
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
|
|
|
|
# bluetooth file transfers
|
|
allow bluetooth sdcard_internal:dir create_dir_perms;
|
|
allow bluetooth sdcard_internal:file create_file_perms;
|
|
|
|
# Allow reading of media_rw_data_file file descriptors
|
|
# passed to bluetooth
|
|
allow bluetooth media_rw_data_file:file { read getattr };
|
|
|
|
# Allow write access to bluetooth specific properties
|
|
allow bluetooth bluetooth_prop:property_service set;
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### These are things that the bluetooth app should NEVER be able to do
|
|
###
|
|
|
|
# Superuser capabilities.
|
|
# bluetooth requires net_admin.
|
|
neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
|