Re: [PATCH v3] Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Naga,

On Wed, May 22, 2024 at 2:46 AM Naga Bhavani Akella
<quic_nakella@xxxxxxxxxxx> wrote:
>
> Required for using acquire-notify, acquire-write options (Gatt Client)
> and Sending notifications (Gatt Server)
>
> Below are the avc denials that are fixed with this patch -
>
> 1. audit: type=1400 audit(1651238006.276:496):
> avc:  denied  { read write } for  pid=2165 comm="bluetoothd"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 2. audit: type=1400 audit(1651238006.276:497):
> avc:  denied  { getattr } for  pid=2165 comm="bluetoothd"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 3. audit: type=1400 audit(1651238006.272:495):
> avc:  denied  { read write } for  pid=689 comm="dbus-daemon"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 4. audit: type=1400 audit(315966559.395:444):
> avc:  denied  { use } for  pid=710 comm="dbus-daemon"
> path="socket:[13196]" dev="sockfs" ino=13196
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=fd permissive=0
> 5. audit: type=1400 audit(315999854.939:523):
> avc:  denied  { read write } for  pid=812 comm="dbus-daemon"
> path="socket:[99469]" dev="sockfs" ino=99469
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=bluetooth_socket permissive=1
>
> Signed-off-by: Naga Bhavani Akella <quic_nakella@xxxxxxxxxxx>
> ---
>  policy/modules/apps/pulseaudio.te    |  2 +-
>  policy/modules/services/bluetooth.if | 23 +++++++++++++++++++++++
>  policy/modules/services/dbus.te      |  2 +-
>  policy/modules/services/obex.te      |  2 +-
>  4 files changed, 26 insertions(+), 3 deletions(-)

Where is this coming from? I don't think we even have a policy folder,
and this might be an are where the distros want to have their own
policies so I'm not sure if we shall have this upstream, or perhaps
this is just for reference?

> diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
> index 65b9a7428..42ed3a1d2 100644
> --- a/policy/modules/apps/pulseaudio.te
> +++ b/policy/modules/apps/pulseaudio.te
> @@ -193,7 +193,7 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> -       bluetooth_stream_connect(pulseaudio_t)
> +       bluetooth_use(pulseaudio_t)
>  ')
>
>  optional_policy(`
> diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
> index c7e1c3f14..edead1fa1 100644
> --- a/policy/modules/services/bluetooth.if
> +++ b/policy/modules/services/bluetooth.if
> @@ -85,6 +85,29 @@ interface(`bluetooth_stream_connect',`
>         stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
>  ')
>
> +#####################################
> +## <summary>
> +##     Connect to bluetooth over a unix domain
> +##     stream socket.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`bluetooth_use',`
> +       gen_require(`
> +               type bluetooth_t, bluetooth_runtime_t;
> +       ')
> +
> +       files_search_runtime($1)
> +       allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
> +       allow $1 bluetooth_t:unix_stream_socket { connectto rw_socket_perms };
> +       allow $1 bluetooth_t:fd use;
> +       bluetooth_stream_connect($1);
> +')
> +
>  ########################################
>  ## <summary>
>  ##     Execute bluetooth in the bluetooth domain.
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 2d1d09d71..855ce86bd 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -265,7 +265,7 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> -       bluetooth_stream_connect(system_dbusd_t)
> +       bluetooth_use(system_dbusd_t)
>  ')
>
>  optional_policy(`
> diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
> index 6686edb37..5e2f20578 100644
> --- a/policy/modules/services/obex.te
> +++ b/policy/modules/services/obex.te
> @@ -31,7 +31,7 @@ miscfiles_read_localization(obex_t)
>  userdom_search_user_home_content(obex_t)
>
>  optional_policy(`
> -       bluetooth_stream_connect(obex_t)
> +       bluetooth_use(obex_t)
>  ')
>
>  optional_policy(`
> --
>


-- 
Luiz Augusto von Dentz





[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux