diff mbox series

[v3] Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets.

Message ID 20240522064504.7560-1-quic_nakella@quicinc.com (mailing list archive)
State New, archived
Headers show
Series [v3] Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets. | expand

Commit Message

Naga Bhavani Akella May 22, 2024, 6:45 a.m. UTC 
Required for using acquire-notify, acquire-write options (Gatt Client)
and Sending notifications (Gatt Server)

Below are the avc denials that are fixed with this patch -

1. audit: type=1400 audit(1651238006.276:496):
avc:  denied  { read write } for  pid=2165 comm="bluetoothd"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
2. audit: type=1400 audit(1651238006.276:497):
avc:  denied  { getattr } for  pid=2165 comm="bluetoothd"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
3. audit: type=1400 audit(1651238006.272:495):
avc:  denied  { read write } for  pid=689 comm="dbus-daemon"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
4. audit: type=1400 audit(315966559.395:444):
avc:  denied  { use } for  pid=710 comm="dbus-daemon"
path="socket:[13196]" dev="sockfs" ino=13196
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=fd permissive=0
5. audit: type=1400 audit(315999854.939:523):
avc:  denied  { read write } for  pid=812 comm="dbus-daemon"
path="socket:[99469]" dev="sockfs" ino=99469
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=bluetooth_socket permissive=1

Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com>
---
 policy/modules/apps/pulseaudio.te    |  2 +-
 policy/modules/services/bluetooth.if | 23 +++++++++++++++++++++++
 policy/modules/services/dbus.te      |  2 +-
 policy/modules/services/obex.te      |  2 +-
 4 files changed, 26 insertions(+), 3 deletions(-)

--

Comments

Luiz Augusto von Dentz May 22, 2024, 6:43 p.m. UTC | #1 
Hi Naga,

On Wed, May 22, 2024 at 2:46 AM Naga Bhavani Akella
<quic_nakella@quicinc.com> wrote:
>
> Required for using acquire-notify, acquire-write options (Gatt Client)
> and Sending notifications (Gatt Server)
>
> Below are the avc denials that are fixed with this patch -
>
> 1. audit: type=1400 audit(1651238006.276:496):
> avc:  denied  { read write } for  pid=2165 comm="bluetoothd"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 2. audit: type=1400 audit(1651238006.276:497):
> avc:  denied  { getattr } for  pid=2165 comm="bluetoothd"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 3. audit: type=1400 audit(1651238006.272:495):
> avc:  denied  { read write } for  pid=689 comm="dbus-daemon"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 4. audit: type=1400 audit(315966559.395:444):
> avc:  denied  { use } for  pid=710 comm="dbus-daemon"
> path="socket:[13196]" dev="sockfs" ino=13196
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=fd permissive=0
> 5. audit: type=1400 audit(315999854.939:523):
> avc:  denied  { read write } for  pid=812 comm="dbus-daemon"
> path="socket:[99469]" dev="sockfs" ino=99469
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=bluetooth_socket permissive=1
>
> Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com>
> ---
>  policy/modules/apps/pulseaudio.te    |  2 +-
>  policy/modules/services/bluetooth.if | 23 +++++++++++++++++++++++
>  policy/modules/services/dbus.te      |  2 +-
>  policy/modules/services/obex.te      |  2 +-
>  4 files changed, 26 insertions(+), 3 deletions(-)

Where is this coming from? I don't think we even have a policy folder,
and this might be an are where the distros want to have their own
policies so I'm not sure if we shall have this upstream, or perhaps
this is just for reference?

> diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
> index 65b9a7428..42ed3a1d2 100644
> --- a/policy/modules/apps/pulseaudio.te
> +++ b/policy/modules/apps/pulseaudio.te
> @@ -193,7 +193,7 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> -       bluetooth_stream_connect(pulseaudio_t)
> +       bluetooth_use(pulseaudio_t)
>  ')
>
>  optional_policy(`
> diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
> index c7e1c3f14..edead1fa1 100644
> --- a/policy/modules/services/bluetooth.if
> +++ b/policy/modules/services/bluetooth.if
> @@ -85,6 +85,29 @@ interface(`bluetooth_stream_connect',`
>         stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
>  ')
>
> +#####################################
> +## <summary>
> +##     Connect to bluetooth over a unix domain
> +##     stream socket.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`bluetooth_use',`
> +       gen_require(`
> +               type bluetooth_t, bluetooth_runtime_t;
> +       ')
> +
> +       files_search_runtime($1)
> +       allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
> +       allow $1 bluetooth_t:unix_stream_socket { connectto rw_socket_perms };
> +       allow $1 bluetooth_t:fd use;
> +       bluetooth_stream_connect($1);
> +')
> +
>  ########################################
>  ## <summary>
>  ##     Execute bluetooth in the bluetooth domain.
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 2d1d09d71..855ce86bd 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -265,7 +265,7 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> -       bluetooth_stream_connect(system_dbusd_t)
> +       bluetooth_use(system_dbusd_t)
>  ')
>
>  optional_policy(`
> diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
> index 6686edb37..5e2f20578 100644
> --- a/policy/modules/services/obex.te
> +++ b/policy/modules/services/obex.te
> @@ -31,7 +31,7 @@ miscfiles_read_localization(obex_t)
>  userdom_search_user_home_content(obex_t)
>
>  optional_policy(`
> -       bluetooth_stream_connect(obex_t)
> +       bluetooth_use(obex_t)
>  ')
>
>  optional_policy(`
> --
>
diff mbox series

Patch

diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 65b9a7428..42ed3a1d2 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -193,7 +193,7 @@  optional_policy(`
 ')
 
 optional_policy(`
-	bluetooth_stream_connect(pulseaudio_t)
+	bluetooth_use(pulseaudio_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index c7e1c3f14..edead1fa1 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -85,6 +85,29 @@  interface(`bluetooth_stream_connect',`
 	stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
 ')
 
+#####################################
+## <summary>
+##	Connect to bluetooth over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_use',`
+	gen_require(`
+		type bluetooth_t, bluetooth_runtime_t;
+	')
+
+	files_search_runtime($1)
+	allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
+	allow $1 bluetooth_t:unix_stream_socket { connectto rw_socket_perms };
+	allow $1 bluetooth_t:fd use;
+	bluetooth_stream_connect($1);
+')
+
 ########################################
 ## <summary>
 ##	Execute bluetooth in the bluetooth domain.
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 2d1d09d71..855ce86bd 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -265,7 +265,7 @@  optional_policy(`
 ')
 
 optional_policy(`
-	bluetooth_stream_connect(system_dbusd_t)
+	bluetooth_use(system_dbusd_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
index 6686edb37..5e2f20578 100644
--- a/policy/modules/services/obex.te
+++ b/policy/modules/services/obex.te
@@ -31,7 +31,7 @@  miscfiles_read_localization(obex_t)
 userdom_search_user_home_content(obex_t)
 
 optional_policy(`
-	bluetooth_stream_connect(obex_t)
+	bluetooth_use(obex_t)
 ')
 
 optional_policy(`