Confine bluetooth app.

Remove unconfined_domain() from the bluetooth app domain, restore the rules from our policy, and move the neverallow rule for bluetooth capabilities to bluetooth.te. Make the bluetooth domain permissive again until it has received sufficient testing. Change-Id: I3b3072d76e053eefd3d0e883a4fdb7c333bbfc09 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Confine bluetooth app.
d7fd22e6 · Stephen Smalley · 28a711c8 · d7fd22e6 · d7fd22e6
Commit d7fd22e6 authored 11 years ago by Stephen Smalley
--- a/app.te
+++ b/app.te
@@ -132,7 +132,6 @@ allow appdomain usbaccessory_device:chr_file { read write getattr };
 # Superuser capabilities.
 # bluetooth requires net_admin.
 neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
-neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
 neverallow { appdomain -unconfineddomain } self:capability2 *;

 # Block device access.

--- a/bluetooth.te
+++ b/bluetooth.te
 # bluetooth subsystem
 type bluetooth, domain;
+permissive bluetooth;
 app_domain(bluetooth)
-unconfined_domain(bluetooth)
+
+# Data file accesses.
+allow bluetooth bluetooth_data_file:dir create_dir_perms;
+allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
+
+# bluetooth factory file accesses.
+r_dir_file(bluetooth, bluetooth_efs_file)
+
+# Device accesses.
+allow bluetooth { tun_device uhid_device hci_attach_dev input_device }:chr_file rw_file_perms;
+
+# Other domains that can create and use bluetooth sockets.
+# SELinux does not presently define a specific socket class for
+# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
+allow bluetoothdomain self:socket *;
+
+# sysfs access.
+allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
+allow bluetooth self:capability net_admin;
+
+# Allow clients to use a socket provided by the bluetooth app.
+allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };
+
+# tethering
+allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
+allow bluetooth efs_file:dir search;
+
+# Talk to init over the property socket.
+unix_socket_connect(bluetooth, property, init)
+
+# proc access.
+allow bluetooth proc_bluetooth_writable:file rw_file_perms;
+
+# bluetooth file transfers
+allow bluetooth sdcard_internal:dir create_dir_perms;
+allow bluetooth sdcard_internal:file create_file_perms;
+
+###
+### Neverallow rules
+###
+### These are things that the bluetooth app should NEVER be able to do
+###
+
+# Superuser capabilities.
+# bluetooth requires net_admin.
+neverallow bluetooth self:capability ~net_admin;