Create policy for PAN connections.

Policy to allow bluetooth tethering. Change-Id: Ic24c97b0e1dc93395b8381b78ca4929baa30337c Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Create policy for PAN connections.
ff7e5305 · rpcraig · Stephen Smalley · 4d3f1089 · ff7e5305 · ff7e5305
Commit ff7e5305 authored 12 years ago by rpcraig Committed by Stephen Smalley 12 years ago
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -10,7 +10,7 @@ allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
 r_dir_file(bluetooth, bluetooth_efs_file)

 # Device accesses.
-allow bluetooth hci_attach_dev:chr_file rw_file_perms;
+allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
 allow bluetooth input_device:chr_file write;

 # sysfs access.
@@ -21,3 +21,7 @@ allow bluetooth self:capability net_admin;
 # SELinux does not presently define a specific socket class for
 # bluetooth sockets, nor does it distinguish among the bluetooth protocols.
 allow bluetoothdomain self:socket *;
+
+# tethering
+allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
+allow bluetooth efs_file:dir search;
--- a/dhcp.te
+++ b/dhcp.te
@@ -22,3 +22,11 @@ unix_socket_connect(dhcp, property, init)
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
 allow dhcp dhcp_data_file:dir create_dir_perms;
 allow dhcp dhcp_data_file:file create_file_perms;
+
+# PAN connections
+allow dhcp netd:fd use;
+allow dhcp netd:fifo_file rw_file_perms;
+allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
+allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
+# netdev-bt-pan driver loading
+allow dhcp kernel:system module_request;
--- a/netd.te
+++ b/netd.te
@@ -4,7 +4,7 @@ type netd_exec, exec_type, file_type;

 init_daemon_domain(netd)
 typeattribute netd mlstrustedsubject;
-allow netd self:capability { net_admin net_raw sys_module };
+allow netd self:capability { net_admin net_raw sys_module kill };
 allow netd self:netlink_kobject_uevent_socket *;
 allow netd self:netlink_route_socket *;
 allow netd self:netlink_nflog_socket *;
@@ -28,3 +28,10 @@ allow netd sysfs:file write;
 # Network driver loading.
 allow netd kernel:system module_request;

+# Set dhcp lease for PAN connection
+unix_socket_connect(netd, property, init)
+allow netd system_prop:property_service set;
+
+# Connect to PAN
+domain_auto_trans(netd, dhcp_exec, dhcp);
+allow netd dhcp:process signal;