From cb835a2852997dde0be2941173f8c879ebbef157 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Mon, 23 Nov 2015 17:15:11 -0800 Subject: [PATCH] Add auditallow for bluetoothdomain rules Let's see if it's safe to get rid of them. Bug: 25768265 Bug: 25767747 Change-Id: Iaf022b4dafe1cc9eab871c8d7ec5afd3cf20bf96 --- bluetoothdomain.te | 6 ++++-- system_server.te | 4 ++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/bluetoothdomain.te b/bluetoothdomain.te index 9626e4b4b..a84ddf88d 100644 --- a/bluetoothdomain.te +++ b/bluetoothdomain.te @@ -3,9 +3,11 @@ # bluetooth sockets, nor does it distinguish among the bluetooth protocols. # TODO: This should no longer be needed with bluedroid for bluetooth # but may be getting used for other non-bluetooth sockets that has no -# specific class defined. Consider taking to specific domains. +# specific class defined. Consider taking to specific domains. (b/25768265) allow bluetoothdomain self:socket create_socket_perms; +auditallow { bluetoothdomain -system_server } self:socket create_socket_perms; # Allow clients to use a socket provided by the bluetooth app. -# TODO: See if this is still required under bluedroid. +# TODO: See if this is still required under bluedroid. (b/25767747) allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown }; +auditallow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown }; diff --git a/system_server.te b/system_server.te index 476a6be62..96d8773f7 100644 --- a/system_server.te +++ b/system_server.te @@ -65,6 +65,10 @@ allow system_server self:netlink_kobject_uevent_socket create_socket_perms; # Use generic netlink sockets. allow system_server self:netlink_socket create_socket_perms; +# Use generic "sockets" where the address family is not known +# to the kernel. +allow system_server self:socket create_socket_perms; + # Set and get routes directly via netlink. allow system_server self:netlink_route_socket nlmsg_write;