Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp728842pxb; Thu, 19 Nov 2020 12:16:31 -0800 (PST) X-Google-Smtp-Source: ABdhPJw7DtHUvYO1lMuLedgwckfMvecPN5Ujr05HRyTdSoGLYoONBlGysfGKO8ZNSgxfsD6fjRJu X-Received: by 2002:a05:6402:849:: with SMTP id b9mr12766467edz.99.1605816991658; Thu, 19 Nov 2020 12:16:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605816991; cv=none; d=google.com; s=arc-20160816; b=EdsTaUkYDz1zLpnKs+Nafza4jNThbsOvv13f7AULMfYRpkElx/wEDj4wccl1/A3Ucf 6vU5M20NDekJcgSqExeZQHkO1t6oVpyGRvWcyn9J12mOqepBSJjvNuAtNlG8fH/4g6kG v8bVuLrWJOUjcBnH8v6lHe3vkZB84JrGMgbFx8CJCkhCm8tP2nbWsLhdkfz9JhscPo94 fj8pllUnHiUr5nLjTTcxRyQSvUIxGyQ4dpxnJOSyrwsCPwfff7039PWDMbmDAmnmUuzB xhH2Z504Dcc6o+zGwrZTZ/LrpUpltQpl5/JM1Ga8MZF/tA3u+KIo+X6Q5jXlQ9ckeyhs NhWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=I4YDXXNB29dy2L3aUm2jHY+iN9AruGRMeqSpuAZ56R8=; b=fIHZ3V7t5Sie8luiKi80yA1+IZyz+8L6eydzHhSL3nKz+xOt1KHsGWylEm5ZCSmU2o fLeYZMdDvTCHp/W8AcKdbsS8NYNF4ChPCXYu1/rRWBX/6IwlVouo5vJWt10N2wFCdOqj x/98ARNpKgfJFoTSpL3pJIQ5ZNLlrNYjWhTfvfH9iUmSmTo4ZbKLTE1z/vyt9wfadWlJ 2neVWCT//r5+X5alEgCli3PYKzHVMXgBbWHj3sjDSah4oEl62MLrsOfjB2wvxaSrRpZx 0s4RyVEwWvYzMn60srf4gg0RIJn049sHdpyFc61nrAqg6jFVmbgcf5FJaLUxRTacW7D2 00QA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=H8P0t6Mz; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w13si472444ejz.76.2020.11.19.12.16.05; Thu, 19 Nov 2020 12:16:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=H8P0t6Mz; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727107AbgKSUPp (ORCPT + 99 others); Thu, 19 Nov 2020 15:15:45 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60896 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726644AbgKSUPp (ORCPT ); Thu, 19 Nov 2020 15:15:45 -0500 Received: from mail-ej1-x642.google.com (mail-ej1-x642.google.com [IPv6:2a00:1450:4864:20::642]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2DC4AC0613CF for ; Thu, 19 Nov 2020 12:15:43 -0800 (PST) Received: by mail-ej1-x642.google.com with SMTP id lv15so3866875ejb.12 for ; Thu, 19 Nov 2020 12:15:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=I4YDXXNB29dy2L3aUm2jHY+iN9AruGRMeqSpuAZ56R8=; b=H8P0t6MzB3wg4hO1fsrJ2lePMArKiUgIL2myroxnCAsELWKvKO6tJNR1dowj2PDYlF 3s73fBTInFZ+sgDb6Jh2R+moUGkr+YqBQORSzQFjOqfMERN1oxQIzLytX0LtYeQRz74E gHH0hK2qDNumFUjjOFW3zKywkUmunXuNVOcxo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=I4YDXXNB29dy2L3aUm2jHY+iN9AruGRMeqSpuAZ56R8=; b=Fm6dALdfSx1B3May6fGgcqMPJqx9oWcPurwRwQnmXJfXJQ/Rewm7ixc4T7LETDsv93 OAVc2rgzkE8DkZajo3CxnIhqDlIkq3a4eKK23a+PCot2v5H3iSgB5LMVRRba3u75TsVb CAPOtADPK24zGdeUIM5NXQJ1jZttuQi9EQziHgHTtjIYjG+FJ8XhjFUU0JdwDYd79JuL MZF5BQHZTDX5lIX6D/r76b59oClGrX9HlvMMDkmQ7m2mWlnXh9q1ZETuIeueuWrviiK7 hcRKSs/PqAB0lAk4lyb6OtRS5yPzyuo/GRGO4tNBO84vM9teoKd50avta39kIeXibpxp nfhw== X-Gm-Message-State: AOAM531/QY+VJA+t4vLOd4K1fvBKrLmxc1/kDXkCnuDxJYpzmVX5Zc+f uj4kFj8ihu9rM+psOgYdS299S85INyAfhg== X-Received: by 2002:a17:906:86cc:: with SMTP id j12mr19038988ejy.174.1605816941379; Thu, 19 Nov 2020 12:15:41 -0800 (PST) Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com. [209.85.221.45]) by smtp.gmail.com with ESMTPSA id j9sm294826ejf.105.2020.11.19.12.15.40 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 19 Nov 2020 12:15:40 -0800 (PST) Received: by mail-wr1-f45.google.com with SMTP id p1so7726689wrf.12 for ; Thu, 19 Nov 2020 12:15:40 -0800 (PST) X-Received: by 2002:adf:9d84:: with SMTP id p4mr12201565wre.370.1605816939762; Thu, 19 Nov 2020 12:15:39 -0800 (PST) MIME-Version: 1.0 References: <20201111011745.2016-1-sonnysasaka@chromium.org> <20201111011745.2016-7-sonnysasaka@chromium.org> In-Reply-To: From: Sonny Sasaka Date: Thu, 19 Nov 2020 12:15:28 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH BlueZ v2 7/7] battery: Implement Battery Provider API To: Luiz Augusto von Dentz Cc: Bastien Nocera , BlueZ , Miao-chen Chou Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Luiz, On Tue, Nov 17, 2020 at 2:26 PM Luiz Augusto von Dentz wrote: > > Hi Sonny, > > On Tue, Nov 17, 2020 at 2:20 PM Sonny Sasaka wrote: > > > > Hi Bastien, > > > > Thank you for the feedback. Please find my answers below. > > > > On Tue, Nov 17, 2020 at 2:51 AM Bastien Nocera wrote: > > > > > > Hey Sonny, > > > > > > On Tue, 2020-11-10 at 17:17 -0800, Sonny Sasaka wrote: > > > > This patch implements the BatteryProvider1 and > > > > BatteryProviderManager1 > > > > API. This is a means for external clients to feed battery information > > > > to > > > > BlueZ if they handle some profile and can decode battery reporting. > > > > > > > > The battery information is then exposed externally via the existing > > > > Battery1 interface. UI components can consume this API to display > > > > Bluetooth peripherals' battery via a unified BlueZ API. > > > > > > Was this patch reviewed for potential security problems? From the top > > > of my head, the possible problems would be: > > > - I don't see any filters on which user could register battery > > > providers, so on a multi user system, you could have a user logged in > > > via SSH squatting all the battery providers, while the user "at the > > > console" can't have their own providers. Also, what happens if the user > > > at the console changes (fast user switching)? > > > - It looks like battery providers don't check for paired, trusted or > > > even connected devices, so I would be able to create nearly unbound > > > number of battery providers depending on how big the cache for "seen" > > > devices is. > > For security, the API can be access-limited at D-Bus level using D-Bus > > configuration files. For example, we can let only trusted UNIX users > > as the callers for this API. This D-Bus config file would be > > distribution-specific. In Chrome OS, for example, only the "audio" and > > "power" users are allowed to call this API. This way we can make sure > > that the callers do not abuse the API for denial-of-service kind of > > attack. > > I guess there is still some the risk of conflicts even with the use of > D-Bus policy blocking roge applications, there could still be multiple > entities providing the battery status from the same source, which is > why I suggested we couple the Battery1 with the Profile1, so only the > entity that has registered to handle let say HFP can provide a battery > status and we automatically deduce the source is from HFP. These are two different issues. The issue with bad applications can be overcome with D-Bus policy. The issue with multiple providers is inherent: we have to have a duplicate resolution because one device may report battery from different sources, e.g. via HFP and A2DP at the same time. The latter case is rare in practice but still possible, so I propose the simplest duplication resolution which is accept the first provider registered (of that specific device) and ignore the rest. Coupling Battery1 with Profile1 will limit the flexibility of this feature. For example, some speakers report battery status via a separate LE channel (GATT). If we require Battery provider to be also a registered Profile, we won't be able to support these cases since GATT clients do not register any profile. > > > > > > > Given that the interface between upower and bluez is supposedly > > > trusted, it might be good to ensure that there are no fuzzing problems > > > on the bluez API side that could translate to causing problems in > > > upower itself. > > Could you give an example of what potential problems of upower can be > > caused by communicating with BlueZ through this API? > > > > > > > > I didn't review the code in depth, but, having written this mechanism > > > for Bluetooth battery reporting, I think that this is the right way to > > > go to allow daemons like pulseaudio to report battery status. > > > > > > Cheers > > > > > > > -- > Luiz Augusto von Dentz