Google Git
Sign in
ara-mdk / platform / external / sepolicy / ff7e5305b87da76735add3444846814958c5d555^! / .
commitff7e5305b87da76735add3444846814958c5d555[log] [tgz]
authorrpcraig <rpcraig@tycho.ncsc.mil>Tue Dec 04 08:09:02 2012 -0500
committerStephen Smalley <sds@tycho.nsa.gov>Fri Mar 22 15:05:44 2013 -0400
tree9251acbf390e24bf45e671601201770b35156c6f
parent4d3f1089aa3c763e4e2c2ccbce2ab23dd700ea48 [diff]
Create policy for PAN connections.

Policy to allow bluetooth tethering.

Change-Id: Ic24c97b0e1dc93395b8381b78ca4929baa30337c
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

diff --git a/bluetooth.te b/bluetooth.te
index 102ee20..8fb0882 100644
--- a/bluetooth.te
+++ b/bluetooth.te

@@ -10,7 +10,7 @@
 r_dir_file(bluetooth, bluetooth_efs_file)
 
 # Device accesses.
-allow bluetooth hci_attach_dev:chr_file rw_file_perms;
+allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
 allow bluetooth input_device:chr_file write;
 
 # sysfs access.
@@ -21,3 +21,7 @@
 # SELinux does not presently define a specific socket class for
 # bluetooth sockets, nor does it distinguish among the bluetooth protocols.
 allow bluetoothdomain self:socket *;
+
+# tethering
+allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
+allow bluetooth efs_file:dir search;

diff --git a/dhcp.te b/dhcp.te
index 1cf7af5..0c533eb 100644
--- a/dhcp.te
+++ b/dhcp.te

@@ -22,3 +22,11 @@
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
 allow dhcp dhcp_data_file:dir create_dir_perms;
 allow dhcp dhcp_data_file:file create_file_perms;
+
+# PAN connections
+allow dhcp netd:fd use;
+allow dhcp netd:fifo_file rw_file_perms;
+allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
+allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
+# netdev-bt-pan driver loading
+allow dhcp kernel:system module_request;

diff --git a/netd.te b/netd.te
index 47687dc..654dae5 100644
--- a/netd.te
+++ b/netd.te

@@ -4,7 +4,7 @@
 
 init_daemon_domain(netd)
 typeattribute netd mlstrustedsubject;
-allow netd self:capability { net_admin net_raw sys_module };
+allow netd self:capability { net_admin net_raw sys_module kill };
 allow netd self:netlink_kobject_uevent_socket *;
 allow netd self:netlink_route_socket *;
 allow netd self:netlink_nflog_socket *;
@@ -28,3 +28,10 @@
 # Network driver loading.
 allow netd kernel:system module_request;
 
+# Set dhcp lease for PAN connection
+unix_socket_connect(netd, property, init)
+allow netd system_prop:property_service set;
+
+# Connect to PAN
+domain_auto_trans(netd, dhcp_exec, dhcp);
+allow netd dhcp:process signal;