From e555f4b971c6bb34633dd2edbe3dd950a052ec41 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 3 Dec 2015 15:56:04 -0800
Subject: [PATCH] Further restrict access to tun_device

Remove bluetooth's access to tun_device. Auditallow rule demonstrates
that it's not used.

Strengthen the neverallow on opening tun_device to include all Apps.

Bug: 24744295
Change-Id: Iba85ba016b1e24c6c12d5b33e46fe8232908aac1
---
 app.te           | 3 +++
 bluetooth.te     | 7 +------
 untrusted_app.te | 3 ---
 3 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/app.te b/app.te
index bc4246586..94dcfc5bd 100644
--- a/app.te
+++ b/app.te
@@ -396,3 +396,6 @@ neverallow appdomain {
   security_file
   tmpfs
 }:lnk_file no_w_file_perms;
+
+# Do not allow Apps to directly open tun_device
+neverallow appdomain tun_device:chr_file open;
diff --git a/bluetooth.te b/bluetooth.te
index 826856c27..c50975765 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -16,12 +16,7 @@ allow bluetooth bluetooth_socket:sock_file create_file_perms;
 # bluetooth factory file accesses.
 r_dir_file(bluetooth, bluetooth_efs_file)
 
-# TODO why does bluetooth require access to tun_device? If not,
-# remove access and tighten down neverallow rule so that appdomain is
-# not allowed to open (as opposed to just untrusted_app)
-# Device accesses. b/24744295
-allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
-auditallow bluetooth tun_device:chr_file rw_file_perms;
+allow bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
 
 # sysfs access.
 allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
diff --git a/untrusted_app.te b/untrusted_app.te
index 0e715469b..df9c67751 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -145,9 +145,6 @@ neverallow untrusted_app file_type:file link;
 # Do not allow untrusted_app to access network MAC address file
 neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
 
-# Do not allow untrusted app to directly open tun_device
-neverallow untrusted_app tun_device:chr_file open;
-
 # Do not allow untrusted_app access to /cache
 neverallow untrusted_app cache_file:dir ~{ r_dir_perms };
 neverallow untrusted_app cache_file:file ~{ read getattr };
-- 
GitLab