From 6e4508e625e29f1a782428447de142e96498b5e4 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Tue, 27 Dec 2016 18:05:46 -0800
Subject: [PATCH] Restrict access to Bluetooth system properties

This removes access to Bluetooth system properties from arbitrary
SELinux domains. Access remains granted to init, bluetooth, and
system_app domains. neverallow rules / CTS enforce that access is not
granted to Zygote and processes spawned from Zygote expcept for
system_app and bluetooth.

The reason is that some of these properties may leak persistent
identifiers not resettable by the user.

Test: Bluetooth pairing and data transfer works
Bug: 33700679
Change-Id: Icdcb3927a423c4011a62942340a498cc1b302472
---
 private/property_contexts | 2 ++
 public/app.te             | 8 ++++++++
 public/property.te        | 3 +--
 public/webview_zygote.te  | 4 ++++
 public/zygote.te          | 3 +++
 5 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/private/property_contexts b/private/property_contexts
index 39e8a8db8..80476cc25 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -61,7 +61,9 @@ persist.vendor.overlay.  u:object_r:overlay_prop:s0
 ro.boot.vendor.overlay.  u:object_r:overlay_prop:s0
 ro.boottime.             u:object_r:boottime_prop:s0
 ro.serialno             u:object_r:serialno_prop:s0
+ro.boot.btmacaddr       u:object_r:bluetooth_prop:s0
 ro.boot.serialno        u:object_r:serialno_prop:s0
+ro.bt.                  u:object_r:bluetooth_prop:s0
 
 # Boolean property set by system server upon boot indicating
 # if device owner is provisioned.
diff --git a/public/app.te b/public/app.te
index 77af57c8c..370f5394b 100644
--- a/public/app.te
+++ b/public/app.te
@@ -468,3 +468,11 @@ neverallow {
   appdomain
   -shell # bugreport
 } input_device:chr_file ~getattr;
+
+# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# neverallow rules for access to Bluetooth-related data files are above.
+neverallow {
+  appdomain
+  -bluetooth
+  -system_app
+} bluetooth_prop:file create_file_perms;
diff --git a/public/property.te b/public/property.te
index ce5ce2f9b..1bde35c4d 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,6 +1,6 @@
 type audio_prop, property_type, core_property_type;
 type boottime_prop, property_type;
-type bluetooth_prop, property_type, core_property_type;
+type bluetooth_prop, property_type;
 type config_prop, property_type, core_property_type;
 type cppreopt_prop, property_type, core_property_type;
 type ctl_bootanim_prop, property_type;
@@ -61,7 +61,6 @@ allow property_type tmpfs:filesystem associate;
 neverallow * {
   core_property_type
   -audio_prop
-  -bluetooth_prop
   -config_prop
   -cppreopt_prop
   -dalvik_prop
diff --git a/public/webview_zygote.te b/public/webview_zygote.te
index 71f3f9a3c..93bbbb1ef 100644
--- a/public/webview_zygote.te
+++ b/public/webview_zygote.te
@@ -102,3 +102,7 @@ neverallow webview_zygote domain:{
   netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
   netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
 } *;
+
+# Do not allow access to Bluetooth-related system properties.
+# neverallow rules for Bluetooth-related data files are listed above.
+neverallow webview_zygote bluetooth_prop:file create_file_perms;
diff --git a/public/zygote.te b/public/zygote.te
index aabf12fd4..385be94a3 100644
--- a/public/zygote.te
+++ b/public/zygote.te
@@ -123,3 +123,6 @@ neverallow zygote {
   data_file_type
   -dalvikcache_data_file # map PROT_EXEC
 }:file no_x_file_perms;
+
+# Do not allow access to Bluetooth-related system properties and files
+neverallow zygote bluetooth_prop:file create_file_perms;
-- 
GitLab