I understand what you suggested here. I wonder if it is possible to set the default context for this special device (e.g., hci_device) so we can have rule like
Allow bluetoothd hci_device:socket read; Thanks, Tai On 2/17/14, 9:17 PM, "William Roberts" <[email protected]> wrote: >I think a dynamic type trans is what you want here. I always forget the >exact syntax but its something like: > >type_trans bluetoothd unlabeled:socket "optional filename"; > > > >"Tai Nguyen (tainguye)" <[email protected]> wrote: > > > >I think this is a special type of socket the socket is created based on >the device id (i.e., sock = hci_open_dev(hci_get_route(NULL))). >This socket is the connection to the microcontroller of the local >bluetooth adapter. It is not typical client-server socket. > >Tai > >From: William Roberts ><[email protected]<mailto:[email protected]>> >Date: Monday, February 17, 2014 at 8:59 PM >To: Tai Nguyen <[email protected]<mailto:[email protected]>> >Cc: "[email protected]<mailto:[email protected]>" ><[email protected]<mailto:[email protected]>> >Subject: Re: How to set Security context for blueZ HCI socket > > >Well it depends on who is doing the create and in that code its not >obvious to me. Is your socket created by the service declaration in >init.rc? If so then look at the readme, theirs an option for specifying >the contexts. You may need to do a dynamic type trans for that socket >type. Depending on kernel version you can use named dynamic type trans. > >On Feb 17, 2014 5:49 PM, "Tai Nguyen (tainguye)" ><[email protected]<mailto:[email protected]>> wrote: >This is a sample code of HCI socket that blueZ use >(http://people.csail.mit.edu/albert/bluez-intro/c404.html) > > >#include <stdio.h> >#include <stdlib.h> >#include <unistd.h> >#include <sys/socket.h> >#include <bluetooth/bluetooth.h> >#include <bluetooth/hci.h> >#include <bluetooth/hci_lib.h> > >int main(int argc, char **argv) >{ > inquiry_info *ii = NULL; > int max_rsp, num_rsp; > int dev_id, sock, len, flags; > int i; > char addr[19] = { 0 }; > char name[248] = { 0 }; > > dev_id = hci_get_route(NULL); > sock = hci_open_dev( dev_id ); > if (dev_id < 0 || sock < 0) { > perror("opening socket"); > exit(1); > } > > len = 8; > max_rsp = 255; > flags = IREQ_CACHE_FLUSH; > ii = (inquiry_info*)malloc(max_rsp * sizeof(inquiry_info)); > > num_rsp = hci_inquiry(dev_id, len, max_rsp, NULL, &ii, flags); > if( num_rsp < 0 ) perror("hci_inquiry"); > > for (i = 0; i < num_rsp; i++) { > ba2str(&(ii+i)->bdaddr, addr); > memset(name, 0, sizeof(name)); > if (hci_read_remote_name(sock, &(ii+i)->bdaddr, sizeof(name), > name, 0) < 0) > strcpy(name, "[unknown]"); > printf("%s %s\n", addr, name); > } > > free( ii ); > close( sock ); > return 0; >} > > >Tai > >From: William Roberts ><[email protected]<mailto:[email protected]>> >Date: Monday, February 17, 2014 at 8:27 PM >To: Tai Nguyen <[email protected]<mailto:[email protected]>> >Cc: "[email protected]<mailto:[email protected]>" ><[email protected]<mailto:[email protected]>> >Subject: Re: How to set Security context for blueZ HCI socket > > >Depends on how the socket gets created. Could you provide more details? > >On Feb 17, 2014 4:01 PM, "Tai Nguyen (tainguye)" ><[email protected]<mailto:[email protected]>> wrote: >Our device uses blueZ stack instead of bluedroid, and we have audit >message about unlabeled socket > > >audit(1392652331.875:225): avc: denied { read } for pid=5249 >comm="bluetoothd" scontext=u:r:bluetoothd:s0 >tcontext=u:object_r:unlabeled:s0 tclass=socket > >This could be the hci socket that blueZ uses. How do I set security label >for this type of socket? > >Thanks, >Tai > >_______________________________________________ >Seandroid-list mailing list >[email protected]<mailto:[email protected]> >To unsubscribe, send email to >[email protected]<mailto:[email protected] >ov>. >To get help, send an email containing "help" to >[email protected]<mailto:[email protected] >sa.gov>. > _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
