Skip to content
Snippets Groups Projects
Commit ba12da95 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

Allow bluetooth access to the tun device. 

Bluetooth uses the tun device for tethering. Allow access.

  STEPS TO REPRODUCE:
  0. Have two devices to test on, say Device A and Device B
  1. On Device A, Go to settings ->Bluetooth .
  2. Turn on the Bluetooth .
  3. Pair it with device B
  4. Tap on the paired device

  OBSERVED RESULTS:
  -Bluetooth share crash is observed with "Bluetooth share has stopped"
  error message
  -Unable to use Bluetooth tethering due to this issue

  EXPECTED RESULTS:
  No crash and Bluetooth devices should be able to connect for tethering

Addresses the following denial:

com.android.bluetooth: type=1400 audit(0.0:131): avc: denied { open }
for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs"
ino=12340 scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0
tclass=chr_file permissive=0

Bug: 27372573

(cherry picked from commit 9a1347ee)

Change-Id: Ibd16e48c09fe80ebb4f3779214de3b4806c12497
parent 50bcd148
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app.te
+ 0
3
View file @ ba12da95
...@@ -419,6 +419,3 @@ neverallow appdomain { ...@@ -419,6 +419,3 @@ neverallow appdomain {
security_file security_file
tmpfs tmpfs
}:lnk_file no_w_file_perms; }:lnk_file no_w_file_perms;
# Do not allow Apps to directly open tun_device
neverallow appdomain tun_device:chr_file open;
bluetooth.te
+ 1
0
View file @ ba12da95
...@@ -27,6 +27,7 @@ allow bluetooth self:capability2 wake_alarm; ...@@ -27,6 +27,7 @@ allow bluetooth self:capability2 wake_alarm;
allow bluetooth self:packet_socket create_socket_perms; allow bluetooth self:packet_socket create_socket_perms;
allow bluetooth self:capability { net_admin net_raw net_bind_service }; allow bluetooth self:capability { net_admin net_raw net_bind_service };
allow bluetooth self:tun_socket create_socket_perms; allow bluetooth self:tun_socket create_socket_perms;
allow bluetooth tun_device:chr_file rw_file_perms;
allow bluetooth efs_file:dir search; allow bluetooth efs_file:dir search;
# proc access. # proc access.
......
isolated_app.te
+ 3
0
View file @ ba12da95
...@@ -29,6 +29,9 @@ allow isolated_app self:process ptrace; ...@@ -29,6 +29,9 @@ allow isolated_app self:process ptrace;
##### Neverallow ##### Neverallow
##### #####
# Do not allow isolated_app to directly open tun_device
neverallow isolated_app tun_device:chr_file open;
# Do not allow isolated_app to set system properties. # Do not allow isolated_app to set system properties.
neverallow isolated_app property_socket:sock_file write; neverallow isolated_app property_socket:sock_file write;
neverallow isolated_app property_type:property_service set; neverallow isolated_app property_type:property_service set;
......
untrusted_app.te
+ 3
0
View file @ ba12da95
...@@ -178,3 +178,6 @@ neverallow untrusted_app { ...@@ -178,3 +178,6 @@ neverallow untrusted_app {
-coredump_file # userdebug/eng only -coredump_file # userdebug/eng only
') ')
}:dir_file_class_set { create unlink }; }:dir_file_class_set { create unlink };
# Do not allow untrusted_app to directly open tun_device
neverallow untrusted_app tun_device:chr_file open;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment