Restrict access to Bluetooth system properties This removes access to Bluetooth system properties from arbitrary SELinux domains. Access remains granted to init, bluetooth, and system_app domains. neverallow rules / CTS enforce that access is not granted to Zygote and processes spawned from Zygote expcept for system_app and bluetooth. The reason is that some of these properties may leak persistent identifiers not resettable by the user. Test: Bluetooth pairing and data transfer works Bug: 33700679 Change-Id: Icdcb3927a423c4011a62942340a498cc1b302472

commit: 6e4508e625e29f1a782428447de142e96498b5e4 [log] [tgz]
author: Alex Klyubin <klyubin@google.com> Tue Dec 27 18:05:46 2016 -0800
committer: Alex Klyubin <klyubin@google.com> Tue Dec 27 18:08:13 2016 -0800
tree: 3bc1ce3f5fe5f596d91b5515fc05e3e5e82507c8
parent: 0555222dba5f36dca38d9edb066c375fae67197b [diff]
diff --git a/private/property_contexts b/private/property_contexts
index 39e8a8d..80476cc 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -61,7 +61,9 @@
 ro.boot.vendor.overlay.  u:object_r:overlay_prop:s0
 ro.boottime.             u:object_r:boottime_prop:s0
 ro.serialno             u:object_r:serialno_prop:s0
+ro.boot.btmacaddr       u:object_r:bluetooth_prop:s0
 ro.boot.serialno        u:object_r:serialno_prop:s0
+ro.bt.                  u:object_r:bluetooth_prop:s0
 
 # Boolean property set by system server upon boot indicating
 # if device owner is provisioned.
commit	6e4508e625e29f1a782428447de142e96498b5e4	[log] [tgz]
author	Alex Klyubin <klyubin@google.com>	Tue Dec 27 18:05:46 2016 -0800
committer	Alex Klyubin <klyubin@google.com>	Tue Dec 27 18:08:13 2016 -0800
tree	3bc1ce3f5fe5f596d91b5515fc05e3e5e82507c8
parent	0555222dba5f36dca38d9edb066c375fae67197b [diff]