Remove generic socket access from untrusted processes

SELinux defines various classes for various socket types, including
tcp_socket, udp_socket, rawip_socket, netlink_socket, etc. Socket
classes not known to the SELinux kernel code get lumped into the generic
"socket" class. In particular, this includes the AF_MSM_IPC socket

Bluetooth using apps were granted access to this generic socket class at
one point in 2012. In 1601132086b054adc70e7f8f38ed24574c90bc37,
a TODO was added indicating that this access was likely unnecessary. In
cb835a2852997dde0be2941173f8c879ebbef157, an auditallow was added to
test to see if this rule was actually used, and in master branch
d0113ae0aed1a455834f26ec847b6ca8610e3b16, this rule was completely

Revoke access to the generic socket class for isolated_app,
untrusted_app, and shell for older Android releases. This is
conceptually a backport of d0113ae0aed1a455834f26ec847b6ca8610e3b16, but
affecting fewer domains to avoid potential breakage.

Add a neverallow rule asserting that this rule isn't present for the
untrusted domains. Contrary to our usual conventions, the neverallow
rule is placed in bluetooth.te, to avoid merge conflicts and simplify

Bug: 28612709
Bug: 25768265
Change-Id: Ibfbb67777e448784bb334163038436f3c4dc1b51
1 file changed