1# bluetooth subsystem 2type bluetooth, domain; 3app_domain(bluetooth) 4net_domain(bluetooth) 5 6# Data file accesses. 7allow bluetooth bluetooth_data_file:dir create_dir_perms; 8allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms; 9 10# Socket creation under /data/misc/bluedroid. 11type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket; 12allow bluetooth bluetooth_socket:sock_file create_file_perms; 13 14# bluetooth factory file accesses. 15r_dir_file(bluetooth, bluetooth_efs_file) 16 17# Device accesses. 18allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms; 19 20# Other domains that can create and use bluetooth sockets. 21# SELinux does not presently define a specific socket class for 22# bluetooth sockets, nor does it distinguish among the bluetooth protocols. 23# TODO: This should no longer be needed with bluedroid for bluetooth 24# but may be getting used for other non-bluetooth sockets that has no 25# specific class defined. Consider taking to specific domains. 26allow bluetoothdomain self:socket create_socket_perms; 27 28# sysfs access. 29allow bluetooth sysfs_bluetooth_writable:file rw_file_perms; 30allow bluetooth self:capability net_admin; 31allow bluetooth self:capability2 wake_alarm; 32 33# Allow clients to use a socket provided by the bluetooth app. 34# TODO: See if this is still required under bluedroid. 35allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown }; 36 37# tethering 38allow bluetooth self:tun_socket create_socket_perms; 39allow bluetooth efs_file:dir search; 40 41# proc access. 42allow bluetooth proc_bluetooth_writable:file rw_file_perms; 43 44# Allow write access to bluetooth specific properties 45set_prop(bluetooth, bluetooth_prop) 46set_prop(bluetooth, pan_result_prop) 47set_prop(bluetooth, ctl_dhcp_pan_prop) 48 49allow bluetooth bluetooth_service:service_manager find; 50allow bluetooth mediaserver_service:service_manager find; 51allow bluetooth radio_service:service_manager find; 52allow bluetooth surfaceflinger_service:service_manager find; 53allow bluetooth app_api_service:service_manager find; 54allow bluetooth system_api_service:service_manager find; 55 56# Bluetooth Sim Access Profile Socket to the RIL 57unix_socket_connect(bluetooth, sap_uim, rild) 58 59# already open bugreport file descriptors may be shared with 60# the bluetooth process, from a file in 61# /data/data/com.android.shell/files/bugreports/bugreport-*. 62allow bluetooth shell_data_file:file read; 63 64### 65### Neverallow rules 66### 67### These are things that the bluetooth app should NEVER be able to do 68### 69 70# Superuser capabilities. 71# bluetooth requires net_admin and wake_alarm. 72neverallow bluetooth self:capability ~net_admin; 73neverallow bluetooth self:capability2 ~wake_alarm; 74