"selinux: support distinctions among all network address families" causing existing bluetooth sepolicies to not work properly with Android?

From: John Stultz
Date: Tue Jun 06 2017 - 20:45:43 EST


Hey folks,

Recently I was working to validate/enable a new bluetooth HAL on HiKey
with Android, and after getting it working properly with a 4.9 based
kernel, I found that I was seeing failures trying to run with an
upstream (4.12-rc3 based) kernel.

It seemed a call to:
socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI);

was suddenly failing, and running "setenforce 0" would allow it to
continue properly.

I chased the issue down to da69a5306ab9 ("selinux: support
distinctions among all network address families"). And work around it
with the following (whitespace corrupted, sorry) hack:

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e67a526..42dfd0f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1379,8 +1379,8 @@ static inline u16
socket_type_to_security_class(int family, int type, int protoc
return SECCLASS_CAN_SOCKET;
case PF_TIPC:
return SECCLASS_TIPC_SOCKET;
- case PF_BLUETOOTH:
- return SECCLASS_BLUETOOTH_SOCKET;
+// case PF_BLUETOOTH:
+// return SECCLASS_BLUETOOTH_SOCKET;
case PF_IUCV:
return SECCLASS_IUCV_SOCKET;
case PF_RXRPC:

Obviously this isn't ideal. The commit message claims that " Backward
compatibility is provided by only enabling the finer-grained socket
classes if a new policy capability is set in the policy; older
policies will behave as before."

Which makes it seem like the older sepolicy should be fine with newer
kernels, but this doesn't seem to be the case here? Am I missing
something? Is Android doing something odd with their POLICYDB that is
causing the kernel to think the sepolicy is newer?

thanks
-john