From 049c03d8c52b685d42fafb0d6123e3d4fabb0170 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 10 Nov 2018 09:03:10 -0800
Subject: [PATCH] bluetooth: allow TUNGETIFF TUNSETIFF

system/sepolicy commit 619c1ef2ac581fe6a3d628ee013fc3ec36b8dc07 started
enforcing ioctl whitelisting requirements for /dev/tun. Bluetooth needs
the ability to issue TUNSETIFF on /dev/tun, so allow access. We also
allow access to TUNGETIFF for good measure.

Addresses the following denial:

avc: denied { ioctl } for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs" ino=20047 ioctlcmd=0x54ca scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=0

Test: policy compiles
Change-Id: Ie4c138fc774373cec266c59de6663db147d60423
---
 private/bluetooth.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/private/bluetooth.te b/private/bluetooth.te
index d4198553e..68cfb3530 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -30,6 +30,7 @@ allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
 allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
 allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
 allow bluetooth tun_device:chr_file rw_file_perms;
+allowxperm bluetooth tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
 allow bluetooth efs_file:dir search;
 
 # allow Bluetooth to access uhid device for HID profile
-- 
GitLab