bluetooth: allow TUNGETIFF TUNSETIFF

system/sepolicy commit 619c1ef2 started enforcing ioctl whitelisting requirements for /dev/tun. Bluetooth needs the ability to issue TUNSETIFF on /dev/tun, so allow access. We also allow access to TUNGETIFF for good measure. Addresses the following denial: avc: denied { ioctl } for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs" ino=20047 ioctlcmd=0x54ca scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=0 Test: policy compiles Change-Id: Ie4c138fc774373cec266c59de6663db147d60423

bluetooth: allow TUNGETIFF TUNSETIFF
system/sepolicy commit 619c1ef2 started enforcing ioctl whitelisting requirements for /dev/tun. Bluetooth needs the ability to issue TUNSETIFF on /dev/tun, so allow access. We also allow access to TUNGETIFF for good measure. Addresses the following denial: avc: denied { ioctl } for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs" ino=20047 ioctlcmd=0x54ca scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=0 Test: policy compiles Change-Id: Ie4c138fc774373cec266c59de6663db147d60423
049c03d8 · Nick Kralevich · 3e8f7bcd · 049c03d8
Commit 049c03d8 authored 6 years ago by Nick Kralevich
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -30,6 +30,7 @@ allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
 allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
 allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
 allow bluetooth tun_device:chr_file rw_file_perms;
+allowxperm bluetooth tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
 allow bluetooth efs_file:dir search;
 # allow Bluetooth to access uhid device for HID profile