bluetooth.te

# bluetooth subsystem
type bluetooth, domain;
permissive bluetooth;
app_domain(bluetooth)

# Data file accesses.
allow bluetooth bluetooth_data_file:dir create_dir_perms;
allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;

# bluetooth factory file accesses.
r_dir_file(bluetooth, bluetooth_efs_file)

# Device accesses.
allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;

# Other domains that can create and use bluetooth sockets.
# SELinux does not presently define a specific socket class for
# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
allow bluetoothdomain self:socket *;

# sysfs access.
allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
allow bluetooth self:capability net_admin;

# Allow clients to use a socket provided by the bluetooth app.
allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };

# tethering
allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
allow bluetooth efs_file:dir search;

# Talk to init over the property socket.
unix_socket_connect(bluetooth, property, init)

# proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms;

# bluetooth file transfers
allow bluetooth sdcard_internal:dir create_dir_perms;
allow bluetooth sdcard_internal:file create_file_perms;

# Allow write access to bluetooth specific properties
allow bluetooth bluetooth_prop:property_service set;

###
### Neverallow rules
###
### These are things that the bluetooth app should NEVER be able to do
###

# Superuser capabilities.
# bluetooth requires net_admin.
neverallow bluetooth self:capability ~net_admin;