Skip to content
Snippets Groups Projects
Normal view Permalink
hal_bluetooth.te 1.17 KiB
Newer Older
  • Learn to ignore specific revisions
    • Alex Klyubin's avatar
    Switch Bluetooth HAL policy to _client/_server  
    Alex Klyubin committed
    1 2 3 
    # HwBinder IPC from clients into server, and callbacks
binder_call(hal_bluetooth_client, hal_bluetooth_server)
binder_call(hal_bluetooth_server, hal_bluetooth_client)
    Andre Eisenbach's avatar
    Add selinux policy for Bluetooth HAL
    Andre Eisenbach committed
    4
    Alex Klyubin's avatar
    Restrict access to hwservicemanager  
    Alex Klyubin committed
    5 6 7 
    add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
    Andre Eisenbach's avatar
    Add selinux policy for Bluetooth HAL
    Andre Eisenbach committed
    8 9 
    wakelock_use(hal_bluetooth);
    Myles Watson's avatar
    Allow the Bluetooth HAL to toggle rfkill  
    Myles Watson committed
    10 
    # The HAL toggles rfkill to power the chip off/on.
    Benjamin Gordon's avatar
    sepolicy: Add rules for non-init namespaces  
    Benjamin Gordon committed
    11 
    allow hal_bluetooth self:global_capability_class_set net_admin;
    Myles Watson's avatar
    Allow the Bluetooth HAL to toggle rfkill  
    Myles Watson committed
    12
    Andre Eisenbach's avatar
    Add selinux policy for Bluetooth HAL
    Andre Eisenbach committed
    13 14 15 16 17 18 19 20 
    # bluetooth factory file accesses.
r_dir_file(hal_bluetooth, bluetooth_efs_file)

allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;

# sysfs access.
r_dir_file(hal_bluetooth, sysfs_type)
allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
    Benjamin Gordon's avatar
    sepolicy: Add rules for non-init namespaces  
    Benjamin Gordon committed
    21 
    allow hal_bluetooth self:global_capability2_class_set wake_alarm;
    Andre Eisenbach's avatar
    Add selinux policy for Bluetooth HAL
    Andre Eisenbach committed
    22 23 
    
# Allow write access to bluetooth-specific properties
    Jaekyun Seok's avatar
    Whitelist vendor-init-settable bluetooth_prop and wifi_prop  
    Jaekyun Seok committed
    24 
    set_prop(hal_bluetooth, bluetooth_a2dp_offload_prop)
    Andre Eisenbach's avatar
    Add selinux policy for Bluetooth HAL
    Andre Eisenbach committed
    25 
    set_prop(hal_bluetooth, bluetooth_prop)
    Jaekyun Seok's avatar
    Whitelist vendor-init-settable bluetooth_prop and wifi_prop  
    Jaekyun Seok committed
    26 
    set_prop(hal_bluetooth, exported_bluetooth_prop)
    Andre Eisenbach's avatar
    Bluetooth: Enable /proc access for vendor library low power control  
    Andre Eisenbach committed
    27 28 29 
    
# /proc access (bluesleep etc.).
allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
    Martijn Coenen's avatar
    Grant CAP_SYS_NICE to processes that need it.  
    Martijn Coenen committed
    30 31 
    
# allow to run with real-time scheduling policy
    Benjamin Gordon's avatar
    sepolicy: Add rules for non-init namespaces  
    Benjamin Gordon committed
    32 
    allow hal_bluetooth self:global_capability_class_set sys_nice;