From 7fa2f9e0f5ea5c24d4e14ba4aef14cfc7090a388 Mon Sep 17 00:00:00 2001
From: William Roberts <bill.c.roberts@gmail.com>
Date: Thu, 31 May 2012 09:40:12 -0400
Subject: [PATCH] Policy for hci_attach service.

---
 device.te     | 6 ++++++
 file.te       | 5 +++++
 hci_attach.te | 9 +++++++++
 rild.te       | 1 +
 4 files changed, 21 insertions(+)
 create mode 100644 hci_attach.te

diff --git a/device.te b/device.te
index 6424db647..ac34d727c 100644
--- a/device.te
+++ b/device.te
@@ -37,3 +37,9 @@ type urandom_device, dev_type;
 type video_device, dev_type;
 type vcs_device, dev_type;
 type zero_device, dev_type;
+
+# All devices have a uart for the hci
+# attach service. The uart dev node
+# varies per device. This type
+# is used in per device policy
+type hci_attach_dev, dev_type;
diff --git a/file.te b/file.te
index b6e3a5d08..4e3bd535d 100644
--- a/file.te
+++ b/file.te
@@ -56,6 +56,11 @@ type efs_file, file_type;
 # Type for wallpaper file.
 type wallpaper_file, file_type;
 
+# All devices have bluetooth efs files. But they
+# vary per device, so this type is used in per
+# defice policy
+type bluetooth_efs_file, file_type;
+
 # Socket types
 type bluetooth_socket, file_type;
 type dbus_socket, file_type;
diff --git a/hci_attach.te b/hci_attach.te
new file mode 100644
index 000000000..3cb0953e5
--- /dev/null
+++ b/hci_attach.te
@@ -0,0 +1,9 @@
+type hci_attach, domain;
+type hci_attach_exec, exec_type, file_type;
+
+init_daemon_domain(hci_attach)
+
+allow hci_attach kernel:system module_request;
+allow hci_attach hci_attach_dev:chr_file rw_file_perms;
+allow hci_attach bluetooth_efs_file:dir r_dir_perms;
+allow hci_attach bluetooth_efs_file:file r_file_perms;
diff --git a/rild.te b/rild.te
index a0a4a374a..e65fc362e 100644
--- a/rild.te
+++ b/rild.te
@@ -17,6 +17,7 @@ allow rild mtd_device:dir search;
 allow rild efs_file:dir create_dir_perms;
 allow rild efs_file:file create_file_perms;
 allow rild shell_exec:file rx_file_perms;
+allow rild bluetooth_efs_file:file r_file_perms;
 dontaudit rild self:capability sys_admin;
 # XXX Label sysfs files with a specific type?
 allow rild sysfs:file rw_file_perms;
-- 
GitLab