From be27f92a3e3a8ece1d5819e3cfd9a4cb2c47c96e Mon Sep 17 00:00:00 2001
From: Andre Eisenbach <eisenbach@google.com>
Date: Wed, 12 Oct 2016 14:49:56 -0700
Subject: [PATCH] Add selinux policy for Bluetooth HAL
Bug: 31972505
Test: VTS test passes, Bluetooth starts/stops
Change-Id: Ic068c9fca7c50e63c5b6e3d86a2ee6cc53207e08
---
private/file_contexts | 1 +
private/hal_bluetooth_default.te | 9 +++++++++
public/attributes | 1 +
public/bluetooth.te | 1 +
public/hal_bluetooth.te | 25 +++++++++++++++++++++++++
public/system_server.te | 1 +
6 files changed, 38 insertions(+)
create mode 100644 private/hal_bluetooth_default.te
create mode 100644 public/hal_bluetooth.te
diff --git a/private/file_contexts b/private/file_contexts
index 3fc812917..0b81d4cc6 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -235,6 +235,7 @@
/system/fake-lib(64)?/libart.* u:object_r:libart_file:s0
/system/lib(64)?/libart.* u:object_r:libart_file:s0
/system/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
+/system/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
/system/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0
/system/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/system/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
diff --git a/private/hal_bluetooth_default.te b/private/hal_bluetooth_default.te
new file mode 100644
index 000000000..f77410cf3
--- /dev/null
+++ b/private/hal_bluetooth_default.te
@@ -0,0 +1,9 @@
+type hal_bluetooth_default, hal_bluetooth, domain;
+type hal_bluetooth_default_exec, exec_type, file_type;
+
+init_daemon_domain(hal_bluetooth_default)
+
+# VTS tests need to be able to toggle rfkill
+userdebug_or_eng(`
+ allow hal_bluetooth_default self:capability net_admin;
+')
diff --git a/public/attributes b/public/attributes
index 9bed18da2..6c2904249 100644
--- a/public/attributes
+++ b/public/attributes
@@ -116,6 +116,7 @@ attribute update_engine_common;
# HALs
attribute hal_audio;
+attribute hal_bluetooth;
attribute hal_dumpstate;
attribute hal_gatekeeper;
attribute hal_graphics_allocator;
diff --git a/public/bluetooth.te b/public/bluetooth.te
index 9f21676a7..209a68b69 100644
--- a/public/bluetooth.te
+++ b/public/bluetooth.te
@@ -60,6 +60,7 @@ allow bluetooth shell_data_file:file read;
# Perform HwBinder IPC.
hwbinder_use(bluetooth)
+binder_call(bluetooth, hal_bluetooth)
binder_call(bluetooth, hal_telephony)
###
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
new file mode 100644
index 000000000..d06147137
--- /dev/null
+++ b/public/hal_bluetooth.te
@@ -0,0 +1,25 @@
+# hwbinder access
+hwbinder_use(hal_bluetooth)
+
+r_dir_file(hal_bluetooth, system_file)
+
+# call into the Bluetooth process (callbacks)
+binder_call(hal_bluetooth, bluetooth)
+
+wakelock_use(hal_bluetooth);
+
+# bluetooth factory file accesses.
+r_dir_file(hal_bluetooth, bluetooth_efs_file)
+
+allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
+
+# Access to config files to look for a Bluetooth address
+r_dir_file(hal_bluetooth, bluetooth_data_file)
+
+# sysfs access.
+r_dir_file(hal_bluetooth, sysfs_type)
+allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
+allow hal_bluetooth self:capability2 wake_alarm;
+
+# Allow write access to bluetooth-specific properties
+set_prop(hal_bluetooth, bluetooth_prop)
diff --git a/public/system_server.te b/public/system_server.te
index b77cf15ad..aa096797a 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -159,6 +159,7 @@ binder_service(system_server)
# Perform HwBinder IPC.
hwbinder_use(system_server)
+binder_call(system_server, hal_bluetooth)
binder_call(system_server, hal_boot)
binder_call(system_server, hal_contexthub)
binder_call(system_server, hal_ir)
--
GitLab