bluetooth.te - platform/external/sepolicy - Git at Google

 # bluetooth subsystem
 type bluetooth, domain;
 permissive bluetooth;
 app_domain(bluetooth)

 # Data file accesses.
 allow bluetooth bluetooth_data_file:dir create_dir_perms;
 allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;

 # bluetooth factory file accesses.
 r_dir_file(bluetooth, bluetooth_efs_file)

 # Device accesses.
 allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;

 # Other domains that can create and use bluetooth sockets.
 # SELinux does not presently define a specific socket class for
 # bluetooth sockets, nor does it distinguish among the bluetooth protocols.
 allow bluetoothdomain self:socket *;

 # sysfs access.
 allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
 allow bluetooth self:capability net_admin;

 # Allow clients to use a socket provided by the bluetooth app.
 allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };

 # tethering
 allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
 allow bluetooth efs_file:dir search;

 # Talk to init over the property socket.
 unix_socket_connect(bluetooth, property, init)

 # proc access.
 allow bluetooth proc_bluetooth_writable:file rw_file_perms;

 # bluetooth file transfers
 allow bluetooth sdcard_internal:dir create_dir_perms;
 allow bluetooth sdcard_internal:file create_file_perms;

 # Allow write access to bluetooth specific properties
 allow bluetooth bluetooth_prop:property_service set;

 ###
 ### Neverallow rules
 ###
 ### These are things that the bluetooth app should NEVER be able to do
 ###

 # Superuser capabilities.
 # bluetooth requires net_admin.
 neverallow bluetooth self:capability ~net_admin;
	# bluetooth subsystem
	type bluetooth, domain;
	permissive bluetooth;
	app_domain(bluetooth)

	# Data file accesses.
	allow bluetooth bluetooth_data_file:dir create_dir_perms;
	allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;

	# bluetooth factory file accesses.
	r_dir_file(bluetooth, bluetooth_efs_file)

	# Device accesses.
	allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;

	# Other domains that can create and use bluetooth sockets.
	# SELinux does not presently define a specific socket class for
	# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
	allow bluetoothdomain self:socket *;

	# sysfs access.
	allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
	allow bluetooth self:capability net_admin;

	# Allow clients to use a socket provided by the bluetooth app.
	allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };

	# tethering
	allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
	allow bluetooth efs_file:dir search;

	# Talk to init over the property socket.
	unix_socket_connect(bluetooth, property, init)

	# proc access.
	allow bluetooth proc_bluetooth_writable:file rw_file_perms;

	# bluetooth file transfers
	allow bluetooth sdcard_internal:dir create_dir_perms;
	allow bluetooth sdcard_internal:file create_file_perms;

	# Allow write access to bluetooth specific properties
	allow bluetooth bluetooth_prop:property_service set;

	###
	### Neverallow rules
	###
	### These are things that the bluetooth app should NEVER be able to do
	###

	# Superuser capabilities.
	# bluetooth requires net_admin.
	neverallow bluetooth self:capability ~net_admin;