Do not allow untrusted_app to open tun_device

Third party vpn apps must receive open tun fd from the framework
for device traffic.

neverallow untrusted_app open perm and auditallow bluetooth
access to see if the neverallow rule can be expanded to include
all of appdomain.

Bug: 24677682
Change-Id: I68685587228a1044fe1e0f96d4dc08c2adbebe78

bluetooth.te

@@ -14,8 +14,12 @@ allow bluetooth bluetooth_socket:sock_file create_file_perms;
 # bluetooth factory file accesses.
 r_dir_file(bluetooth, bluetooth_efs_file)
 
-# Device accesses.
+# TODO why does bluetooth require access to tun_device? If not,
+# remove access and tighten down neverallow rule so that appdomain is
+# not allowed to open (as opposed to just untrusted_app)
+# Device accesses. b/24744295
 allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
+auditallow bluetooth tun_device:chr_file rw_file_perms;
 
 # Other domains that can create and use bluetooth sockets.
 # SELinux does not presently define a specific socket class for

untrusted_app.te

@@ -29,7 +29,9 @@ bluetooth_domain(untrusted_app)
 # to their sandbox directory and then execute.
 allow untrusted_app app_data_file:file { rx_file_perms execmod };
 
-allow untrusted_app tun_device:chr_file rw_file_perms;
+# Third party vpn apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow untrusted_app tun_device:chr_file { read write getattr ioctl append };
 
 # ASEC
 allow untrusted_app asec_apk_file:file r_file_perms;
@@ -157,3 +159,6 @@ neverallow untrusted_app file_type:file link;
 
 # Do not allow untrusted_app to access network MAC address file
 neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
+
+# Do not allow untrusted app to directly open tun_device
+neverallow untrusted_app tun_device:chr_file open;