1*e4a36f41SAndroid Build Coastguard Worker# bluetooth app 2*e4a36f41SAndroid Build Coastguard Worker 3*e4a36f41SAndroid Build Coastguard Workertypeattribute bluetooth coredomain; 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Workerapp_domain(bluetooth) 6*e4a36f41SAndroid Build Coastguard Workernet_domain(bluetooth) 7*e4a36f41SAndroid Build Coastguard Worker 8*e4a36f41SAndroid Build Coastguard Worker# Socket creation under /data/misc/bluedroid. 9*e4a36f41SAndroid Build Coastguard Workertype_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket; 10*e4a36f41SAndroid Build Coastguard Worker 11*e4a36f41SAndroid Build Coastguard Worker# Allow access to net_admin ioctls 12*e4a36f41SAndroid Build Coastguard Workerallowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls; 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Workerwakelock_use(bluetooth); 15*e4a36f41SAndroid Build Coastguard Worker 16*e4a36f41SAndroid Build Coastguard Worker# Data file accesses. 17*e4a36f41SAndroid Build Coastguard Workerallow bluetooth bluetooth_data_file:dir create_dir_perms; 18*e4a36f41SAndroid Build Coastguard Workerallow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms; 19*e4a36f41SAndroid Build Coastguard Workerallow bluetooth bluetooth_logs_data_file:dir rw_dir_perms; 20*e4a36f41SAndroid Build Coastguard Workerallow bluetooth bluetooth_logs_data_file:file create_file_perms; 21*e4a36f41SAndroid Build Coastguard Worker 22*e4a36f41SAndroid Build Coastguard Worker# Socket creation under /data/misc/bluedroid. 23*e4a36f41SAndroid Build Coastguard Workerallow bluetooth bluetooth_socket:sock_file create_file_perms; 24*e4a36f41SAndroid Build Coastguard Worker 25*e4a36f41SAndroid Build Coastguard Workerallow bluetooth self:global_capability_class_set net_admin; 26*e4a36f41SAndroid Build Coastguard Workerallow bluetooth self:global_capability2_class_set wake_alarm; 27*e4a36f41SAndroid Build Coastguard Worker 28*e4a36f41SAndroid Build Coastguard Worker# tethering 29*e4a36f41SAndroid Build Coastguard Workerallow bluetooth self:packet_socket create_socket_perms_no_ioctl; 30*e4a36f41SAndroid Build Coastguard Workerallow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service }; 31*e4a36f41SAndroid Build Coastguard Workerallow bluetooth self:tun_socket create_socket_perms_no_ioctl; 32*e4a36f41SAndroid Build Coastguard Workerallow bluetooth tun_device:chr_file rw_file_perms; 33*e4a36f41SAndroid Build Coastguard Workerallowxperm bluetooth tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF }; 34*e4a36f41SAndroid Build Coastguard Workerallow bluetooth efs_file:dir search; 35*e4a36f41SAndroid Build Coastguard Worker 36*e4a36f41SAndroid Build Coastguard Worker# allow Bluetooth to access uhid device for HID profile 37*e4a36f41SAndroid Build Coastguard Workerallow bluetooth uhid_device:chr_file rw_file_perms; 38*e4a36f41SAndroid Build Coastguard Worker 39*e4a36f41SAndroid Build Coastguard Worker# proc access. 40*e4a36f41SAndroid Build Coastguard Workerallow bluetooth proc_bluetooth_writable:file rw_file_perms; 41*e4a36f41SAndroid Build Coastguard Worker 42*e4a36f41SAndroid Build Coastguard Worker# Allow write access to bluetooth specific properties 43*e4a36f41SAndroid Build Coastguard Workerset_prop(bluetooth, binder_cache_bluetooth_server_prop); 44*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -bluetooth -init } 45*e4a36f41SAndroid Build Coastguard Worker binder_cache_bluetooth_server_prop:property_service set; 46*e4a36f41SAndroid Build Coastguard Workerset_prop(bluetooth, bluetooth_a2dp_offload_prop) 47*e4a36f41SAndroid Build Coastguard Workerset_prop(bluetooth, bluetooth_audio_hal_prop) 48*e4a36f41SAndroid Build Coastguard Workerset_prop(bluetooth, bluetooth_prop) 49*e4a36f41SAndroid Build Coastguard Workerset_prop(bluetooth, exported_bluetooth_prop) 50*e4a36f41SAndroid Build Coastguard Workerset_prop(bluetooth, pan_result_prop) 51*e4a36f41SAndroid Build Coastguard Worker 52*e4a36f41SAndroid Build Coastguard Workerallow bluetooth audioserver_service:service_manager find; 53*e4a36f41SAndroid Build Coastguard Workerallow bluetooth bluetooth_service:service_manager find; 54*e4a36f41SAndroid Build Coastguard Workerallow bluetooth drmserver_service:service_manager find; 55*e4a36f41SAndroid Build Coastguard Workerallow bluetooth mediaserver_service:service_manager find; 56*e4a36f41SAndroid Build Coastguard Workerallow bluetooth radio_service:service_manager find; 57*e4a36f41SAndroid Build Coastguard Workerallow bluetooth app_api_service:service_manager find; 58*e4a36f41SAndroid Build Coastguard Workerallow bluetooth system_api_service:service_manager find; 59*e4a36f41SAndroid Build Coastguard Workerallow bluetooth network_stack_service:service_manager find; 60*e4a36f41SAndroid Build Coastguard Worker 61*e4a36f41SAndroid Build Coastguard Worker# already open bugreport file descriptors may be shared with 62*e4a36f41SAndroid Build Coastguard Worker# the bluetooth process, from a file in 63*e4a36f41SAndroid Build Coastguard Worker# /data/data/com.android.shell/files/bugreports/bugreport-*. 64*e4a36f41SAndroid Build Coastguard Workerallow bluetooth shell_data_file:file read; 65*e4a36f41SAndroid Build Coastguard Worker 66*e4a36f41SAndroid Build Coastguard Worker# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice 67*e4a36f41SAndroid Build Coastguard Workerallow bluetooth self:global_capability_class_set sys_nice; 68*e4a36f41SAndroid Build Coastguard Worker 69*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(bluetooth, hal_bluetooth) 70*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(bluetooth, hal_telephony) 71*e4a36f41SAndroid Build Coastguard Worker 72*e4a36f41SAndroid Build Coastguard Worker# Bluetooth A2DP offload requires binding with audio HAL 73*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(bluetooth, hal_audio) 74*e4a36f41SAndroid Build Coastguard Worker 75*e4a36f41SAndroid Build Coastguard Workerread_runtime_log_tags(bluetooth) 76*e4a36f41SAndroid Build Coastguard Worker 77*e4a36f41SAndroid Build Coastguard Worker### 78*e4a36f41SAndroid Build Coastguard Worker### Neverallow rules 79*e4a36f41SAndroid Build Coastguard Worker### 80*e4a36f41SAndroid Build Coastguard Worker### These are things that the bluetooth app should NEVER be able to do 81*e4a36f41SAndroid Build Coastguard Worker### 82*e4a36f41SAndroid Build Coastguard Worker 83*e4a36f41SAndroid Build Coastguard Worker# Superuser capabilities. 84*e4a36f41SAndroid Build Coastguard Worker# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice. 85*e4a36f41SAndroid Build Coastguard Workerneverallow bluetooth self:global_capability_class_set ~{ net_admin net_raw net_bind_service sys_nice}; 86*e4a36f41SAndroid Build Coastguard Workerneverallow bluetooth self:global_capability2_class_set ~{ wake_alarm block_suspend }; 87