Re: [PATCH v3] Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/23/2024 12:13 AM, Naga Bhavani Akella wrote:
Required for using acquire-notify, acquire-write options (Gatt Client)
and Sending notifications (Gatt Server)

A couple minor things remain.


Below are the avc denials that are fixed with this patch -

1. audit: type=1400 audit(1651238006.276:496):
avc:  denied  { read write } for  pid=2165 comm="bluetoothd"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
2. audit: type=1400 audit(1651238006.276:497):
avc:  denied  { getattr } for  pid=2165 comm="bluetoothd"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
3. audit: type=1400 audit(1651238006.272:495):
avc:  denied  { read write } for  pid=689 comm="dbus-daemon"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
4. audit: type=1400 audit(315966559.395:444):
avc:  denied  { use } for  pid=710 comm="dbus-daemon"
path="socket:[13196]" dev="sockfs" ino=13196
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=fd permissive=0
5. audit: type=1400 audit(315999854.939:523):
avc:  denied  { read write } for  pid=812 comm="dbus-daemon"
path="socket:[99469]" dev="sockfs" ino=99469
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=bluetooth_socket permissive=1

Signed-off-by: Naga Bhavani Akella <quic_nakella@xxxxxxxxxxx>
---
  policy/modules/apps/pulseaudio.te    |  2 +-
  policy/modules/services/bluetooth.if | 23 +++++++++++++++++++++++
  policy/modules/services/dbus.te      |  2 +-
  policy/modules/services/obex.te      |  2 +-
  4 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 65b9a7428..42ed3a1d2 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -193,7 +193,7 @@ optional_policy(`
  ')
optional_policy(`
-	bluetooth_stream_connect(pulseaudio_t)
+	bluetooth_use(pulseaudio_t)
  ')
optional_policy(`
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index c7e1c3f14..edead1fa1 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -85,6 +85,29 @@ interface(`bluetooth_stream_connect',`
  	stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
  ')
+#####################################
+## <summary>
+##	Connect to bluetooth over a unix domain
+##	stream socket.

Please add a little more here; something about using the returned bluetooth socket.

+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_use',`
+	gen_require(`
+		type bluetooth_t, bluetooth_runtime_t;
+	')
+
+	files_search_runtime($1)
+	allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
+	allow $1 bluetooth_t:unix_stream_socket { connectto rw_socket_perms };

The connectto is provided by bluetooth_stream_connect(), so only the rw_socket_perms should be needed.


Otherwise looks good.


--
Chris PeBenito





[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux