1# bluetooth subsystem 2type bluetooth, domain; 3app_domain(bluetooth) 4net_domain(bluetooth) 5 6# Data file accesses. 7allow bluetooth bluetooth_data_file:dir create_dir_perms; 8allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms; 9 10# Socket creation under /data/misc/bluedroid. 11type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket; 12allow bluetooth bluetooth_socket:sock_file create_file_perms; 13 14# bluetooth factory file accesses. 15r_dir_file(bluetooth, bluetooth_efs_file) 16 17# Device accesses. 18allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms; 19 20# Other domains that can create and use bluetooth sockets. 21# SELinux does not presently define a specific socket class for 22# bluetooth sockets, nor does it distinguish among the bluetooth protocols. 23# TODO: This should no longer be needed with bluedroid for bluetooth 24# but may be getting used for other non-bluetooth sockets that has no 25# specific class defined. Consider taking to specific domains. 26allow bluetoothdomain self:socket create_socket_perms; 27 28# sysfs access. 29allow bluetooth sysfs_bluetooth_writable:file rw_file_perms; 30allow bluetooth self:capability net_admin; 31allow bluetooth self:capability2 wake_alarm; 32 33# Allow clients to use a socket provided by the bluetooth app. 34# TODO: See if this is still required under bluedroid. 35allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown }; 36 37# tethering 38allow bluetooth self:tun_socket create_socket_perms; 39allow bluetooth efs_file:dir search; 40 41# Talk to init over the property socket. 42unix_socket_connect(bluetooth, property, init) 43 44# proc access. 45allow bluetooth proc_bluetooth_writable:file rw_file_perms; 46 47# Allow write access to bluetooth specific properties 48allow bluetooth bluetooth_prop:property_service set; 49allow bluetooth pan_result_prop:property_service set; 50allow bluetooth ctl_dhcp_pan_prop:property_service set; 51 52### 53### Neverallow rules 54### 55### These are things that the bluetooth app should NEVER be able to do 56### 57 58# Superuser capabilities. 59# bluetooth requires net_admin and wake_alarm. 60neverallow bluetooth self:capability ~net_admin; 61neverallow bluetooth self:capability2 ~wake_alarm; 62