Re: [PATCH 2/2] Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets.

[Chris PeBenito <pebenito@xxxxxxxx>]

On 5/21/2024 4:43 AM, Naga Bhavani Akella wrote:
> Required for using acquire-notify, acquire-write options (Gatt Client)
> and Sending notifications (Gatt Server)
>
> Below are the avc denials that are fixed with this patch -
>
> 1. audit: type=1400 audit(1651238006.276:496):
> avc:  denied  { read write } for  pid=2165 comm="bluetoothd"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 2. audit: type=1400 audit(1651238006.276:497):
> avc:  denied  { getattr } for  pid=2165 comm="bluetoothd"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 3. audit: type=1400 audit(1651238006.272:495):
> avc:  denied  { read write } for  pid=689 comm="dbus-daemon"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 4. audit: type=1400 audit(315966559.395:444):
> avc:  denied  { use } for  pid=710 comm="dbus-daemon"
> path="socket:[13196]" dev="sockfs" ino=13196
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=fd permissive=0
> 5. audit: type=1400 audit(315999854.939:523):
> avc:  denied  { read write } for  pid=812 comm="dbus-daemon"
> path="socket:[99469]" dev="sockfs" ino=99469
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=bluetooth_socket permissive=1
>
> Signed-off-by: Naga Bhavani Akella <quic_nakella@xxxxxxxxxxx>
> ---
>   policy/modules/apps/pulseaudio.te    |  1 +
>   policy/modules/services/bluetooth.if | 22 ++++++++++++++++++++++
>   policy/modules/services/dbus.te      |  1 +
>   policy/modules/services/obex.te      |  1 +
>   4 files changed, 25 insertions(+)
>
> diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
> index 65b9a7428..9bf69bedc 100644
> --- a/policy/modules/apps/pulseaudio.te
> +++ b/policy/modules/apps/pulseaudio.te
> @@ -194,6 +194,7 @@ optional_policy(`
>   
>   optional_policy(`
>   	bluetooth_stream_connect(pulseaudio_t)
> +	bluetooth_socket_connect(pulseaudio_t)
>   ')
>   
>   optional_policy(`
> diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
> index c7e1c3f14..dd26d95f4 100644
> --- a/policy/modules/services/bluetooth.if
> +++ b/policy/modules/services/bluetooth.if
> @@ -85,6 +85,28 @@ interface(`bluetooth_stream_connect',`
>   	stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
>   ')
>   
> +#####################################
> +## <summary>
> +##	Connect to bluetooth over a unix domain
> +##	stream socket.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`bluetooth_socket_connect',`

This should be named "bluetooth_use".


> +	gen_require(`
> +		type bluetooth_t, bluetooth_runtime_t;
> +	')
> +
> +	files_search_runtime($1)
> +	allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
> +	allow $1 bluetooth_t:unix_stream_socket { accept connectto listen rw_socket_perms };

Do you have example denials for the accept and listen permissions?  I 
wouldn't expect to see accept and listen on a client connection.


> +	allow $1 bluetooth_t:fd use;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Execute bluetooth in the bluetooth domain.
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 2d1d09d71..301c81aa5 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -266,6 +266,7 @@ optional_policy(`
>   
>   optional_policy(`
>   	bluetooth_stream_connect(system_dbusd_t)
> +	bluetooth_socket_connect(system_dbusd_t)
>   ')
>   
>   optional_policy(`
> diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
> index 6686edb37..edbdc7ecf 100644
> --- a/policy/modules/services/obex.te
> +++ b/policy/modules/services/obex.te
> @@ -32,6 +32,7 @@ userdom_search_user_home_content(obex_t)
>   
>   optional_policy(`
>   	bluetooth_stream_connect(obex_t)
> +	bluetooth_socket_connect(obex_t)
>   ')

Since each of the callers already have bluetooth_stream_connect(), I 
think the new bluetooth_use() interface should call 
bluetooth_stream_connect(), then the callers can be simplified to only a 
bluetooth_use() call.



--
Chris PeBenito