1# bluetooth subsystem 2type bluetooth, domain; 3app_domain(bluetooth) 4net_domain(bluetooth) 5 6# Data file accesses. 7allow bluetooth bluetooth_data_file:dir create_dir_perms; 8allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms; 9 10# Socket creation under /data/misc/bluedroid. 11type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket; 12allow bluetooth bluetooth_socket:sock_file create_file_perms; 13 14# bluetooth factory file accesses. 15r_dir_file(bluetooth, bluetooth_efs_file) 16 17# Device accesses. 18allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms; 19 20# Other domains that can create and use bluetooth sockets. 21# SELinux does not presently define a specific socket class for 22# bluetooth sockets, nor does it distinguish among the bluetooth protocols. 23# TODO: This should no longer be needed with bluedroid for bluetooth 24# but may be getting used for other non-bluetooth sockets that has no 25# specific class defined. Consider taking to specific domains. 26allow { bluetoothdomain -untrusted_app -isolated_app -shell } self:socket create_socket_perms; 27neverallow { untrusted_app isolated_app shell } { untrusted_app isolated_app shell }:socket *; 28 29# sysfs access. 30allow bluetooth sysfs_bluetooth_writable:file rw_file_perms; 31allow bluetooth self:capability net_admin; 32allow bluetooth self:capability2 wake_alarm; 33 34# Allow clients to use a socket provided by the bluetooth app. 35# TODO: See if this is still required under bluedroid. 36allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown }; 37 38# tethering 39allow bluetooth self:tun_socket create_socket_perms; 40allow bluetooth efs_file:dir search; 41 42# proc access. 43allow bluetooth proc_bluetooth_writable:file rw_file_perms; 44 45# Allow write access to bluetooth specific properties 46set_prop(bluetooth, bluetooth_prop) 47set_prop(bluetooth, pan_result_prop) 48set_prop(bluetooth, ctl_dhcp_pan_prop) 49 50allow bluetooth bluetooth_service:service_manager find; 51allow bluetooth mediaserver_service:service_manager find; 52allow bluetooth radio_service:service_manager find; 53allow bluetooth surfaceflinger_service:service_manager find; 54allow bluetooth app_api_service:service_manager find; 55allow bluetooth system_api_service:service_manager find; 56 57# Bluetooth Sim Access Profile Socket to the RIL 58unix_socket_connect(bluetooth, sap_uim, rild) 59 60# already open bugreport file descriptors may be shared with 61# the bluetooth process, from a file in 62# /data/data/com.android.shell/files/bugreports/bugreport-*. 63allow bluetooth shell_data_file:file read; 64 65### 66### Neverallow rules 67### 68### These are things that the bluetooth app should NEVER be able to do 69### 70 71# Superuser capabilities. 72# bluetooth requires net_admin and wake_alarm. 73neverallow bluetooth self:capability ~net_admin; 74neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend }; 75