diff options
| author | Szymon Janc <szymon.janc@tieto.com> | 2014-12-23 12:46:21 +0100 |
|---|---|---|
| committer | Szymon Janc <szymon.janc@tieto.com> | 2014-12-24 11:01:53 +0100 |
| commit | cba67bc1923a7701d70dd93944077e02b7504a03 (patch) | |
| tree | c31bbccea5e3d85e9cb0f4ec641d32fabdcaf181 /android/bluetoothd.te | |
| parent | 3fc5cbdaa01d7e00132f93e6acbfdb202539c6e5 (diff) | |
| download | bluez-cba67bc1923a7701d70dd93944077e02b7504a03.tar.gz | |
android: Provide SELinux policy files
This adds required policy files and updates documentation with more
SELinux information.
Diffstat (limited to 'android/bluetoothd.te')
| -rw-r--r-- | android/bluetoothd.te | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/android/bluetoothd.te b/android/bluetoothd.te new file mode 100644 index 000000000..532bfbb35 --- /dev/null +++ b/android/bluetoothd.te @@ -0,0 +1,47 @@ +type bluetoothd, domain; +type bluetoothd_exec, exec_type, file_type; +type bluetoothd_main_exec, exec_type, file_type; + +# Start bluetoothd from init +init_daemon_domain(bluetoothd) + +# Data file accesses +allow bluetoothd bluetooth_data_file:dir w_dir_perms; +allow bluetoothd bluetooth_data_file:notdevfile_class_set create_file_perms; + +allow bluetoothd self:capability { setuid net_admin net_bind_service net_raw }; +allow bluetoothd kernel:system module_request; + +# TODO: this may be romoved for userbuild where we don't use bluetoothd_wrapper +allow bluetoothd bluetoothd_main_exec:file { execute execute_no_trans read open }; + +# IPC socket communication +allow bluetoothd self:socket { create_socket_perms accept listen setopt getopt }; + +# Allow clients to use a socket provided by the bluetooth app. +allow bluetoothd { bluetooth mediaserver }:unix_stream_socket connectto; + +# Allow system app to use sockets and fds +allow bluetooth bluetoothd:fd use; +allow bluetooth bluetoothd:unix_stream_socket rw_socket_perms; + +# Allow user bluetooth apps to use sockets and fds +allow bluetoothdomain bluetoothd:fd use; +allow bluetoothdomain bluetoothd:unix_stream_socket { getopt setopt getattr read write ioctl shutdown }; + +# Other domains that can create and use bluetooth sockets. +allow bluetoothdomain self:socket create_socket_perms; + +#This we might should put to mediaserver.te ? +allow mediaserver bluetoothd:fd use; +allow mediaserver bluetoothd:socket rw_socket_perms; + +# needs /system/bin/log access +allow bluetoothd devpts:chr_file rw_file_perms; + +# access to uhid device +allow bluetoothd uhid_device:chr_file rw_file_perms; + +# tethering +allow bluetoothd self:udp_socket create_socket_perms; +allow bluetoothd self:tcp_socket { create ioctl }; |