Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 4b6a6aa861cb003f0fa5ec813699499174efd15c^! / .
commit4b6a6aa861cb003f0fa5ec813699499174efd15c[log] [tgz]
authorwescande <wescande@google.com>Mon Aug 23 16:59:08 2021 +0200
committerWilliam Escande <wescande@google.com>Wed Aug 25 12:33:00 2021 +0000
tree6c5ead660e214ddbe655b6192d4dd228290eafdb
parent26d95ebaab1033a70539785088a4f02ea0dcabe5 [diff]
Allow Bluetooth to access system config

The removing of getSystemConfigEnabledProfilesForPackage
hidden api for mainline project triggered a SEDenial:
```
avc: denied { read } for comm="droid.bluetooth" name="u:object_r:incremental_prop:s0" dev="tmpfs" ino=20229 scontext=u:r:bluetooth:s0 tcontext=u:object_r:incremental_prop:s0 tclass=file permissive=0
avc: denied { open } for comm="droid.bluetooth" path="/dev/__properties__/u:object_r:incremental_prop:s0" dev="tmpfs" ino=180 scontext=u:r:bluetooth:s0 tcontext=u:object_r:incremental_prop:s0 tclass=file permissive=0
avc: denied { getattr } for comm="droid.bluetooth" path="/dev/__properties__/u:object_r:incremental_prop:s0" dev="tmpfs" ino=180 scontext=u:r:bluetooth:s0 tcontext=u:object_r:incremental_prop:s0 tclass=file permissive=0
avc: denied { map } for comm="droid.bluetooth" path="/dev/__properties__/u:object_r:incremental_prop:s0" dev="tmpfs" ino=180 scontext=u:r:bluetooth:s0 tcontext=u:object_r:incremental_prop:s0 tclass=file permissive=0

avc: denied { read } for comm="droid.bluetooth" name="filesystems" dev="proc" ino=4026532079 scontext=u:r:bluetooth:s0 tcontext=u:object_r:proc_filesystems:s0 tclass=file permissive=0
avc: denied { open } for comm="droid.bluetooth" path="/proc/filesystems" dev="proc" ino=4026532079 scontext=u:r:bluetooth:s0 tcontext=u:object_r:proc_filesystems:s0 tclass=file permissive=0
avc: denied { getattr } for comm="droid.bluetooth" path="/proc/filesystems" dev="proc" ino=4026532079 scontext=u:r:bluetooth:s0 tcontext=u:object_r:proc_filesystems:s0 tclass=file permissive=0
```

Bug: 190440540
Test: Manual
Tag: #refactor
Change-Id: I86c77e540d783a4286a15cdf66b083aae1a55589

diff --git a/private/bluetooth.te b/private/bluetooth.te
index 8fc6d20..0e0cf7f 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te

@@ -39,6 +39,10 @@
 # proc access.
 allow bluetooth proc_bluetooth_writable:file rw_file_perms;
 
+# For Bluetooth to check what profile are available
+allow bluetooth proc_filesystems:file r_file_perms;
+get_prop(bluetooth, incremental_prop)
+
 # Allow write access to bluetooth specific properties
 set_prop(bluetooth, binder_cache_bluetooth_server_prop);
 neverallow { domain -bluetooth -init }