Received: by 2002:ab2:7855:0:b0:1f9:5764:f03e with SMTP id m21csp542511lqp;
        Wed, 22 May 2024 11:44:17 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCVruZYw4p90hLGJCighhjwb88O43/RI6JQjBelmj0FYoNlPUX/knMIXg6Xh1oexVELrEIq07lR3Yk+U5dj/iMZWh5vjqWh0WcFJauNZ/g==
X-Google-Smtp-Source: AGHT+IFwWcDPC9Pq1sI3pghov5BvZHCIbmu+KHb367HCSUiPim8JL4gs8T/c1VpJIrz64BQvCwRm
X-Received: by 2002:a05:620a:574e:b0:793:f24:c37e with SMTP id af79cd13be357-79499455fa5mr278082385a.46.1716403456819;
        Wed, 22 May 2024 11:44:16 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1716403456; cv=pass;
        d=google.com; s=arc-20160816;
        b=xFI4E/MRQijlxhd370AZfIgcJzz1uSKBgZNxcpAynbjK3FdeoipJZkZDt5EPucSG+u
         bKbNIKeXj2XduWditWFC80kDQW5Pmi/bhTC4K7JnZnFP+Y/gqJfEMPs2kz95lPKiqXY3
         fwTtxCfAtPTxfmFBDyWnV1rMITTi2sPdZ31W0OI27BCaI37SjVMW3omzzc4VWsQ8it4e
         fMgmPTO5iPLdkZ2J4k5SxWbtJKUwxcFBY35P7ksTWEHf2tcTfThj7ZzYt862i/uYIWQQ
         rFsrZ+kRR/v1YOg+9QPZzbsT2mu/NsEO22gmL9qFl1WLq26mGVsDyskIihZpHGItBFT0
         AP8w==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe
         :list-id:precedence:dkim-signature;
        bh=0R/H2ZxRgcTDKjoml22C7/U25tmAJzn0uDdpWw2qbq4=;
        fh=lOVAck7nD0GH2ReVcF6JTuYifLuxHLQLiWkQZA+D+0M=;
        b=aZc1try6Iyq+LdtDI/apI6xyYIwNt1zWaJ/H/uUaSKYZq+/h0BcqNv/c3ppoD0z1LX
         qCYJssdbrUIe2BcoI9pfd4fvM8qTwISzusIbERHbaNwlUKwqVk/Y9xfZ5cYcHX72/Bkr
         GuH0DYAJu9gATkuJAJxv3K0KaiRfG20AFXJ5w7oFetqlfQMJdKpdL2T9+xMTNzhw6Kzk
         fO5GA4KUILxl2XvtFBDtJgPZsO6STDN0K5XRbqLG4rO2B6xzZzo337V87ukW5OM3HyP2
         1b8sDVq7sPy8KD+Ayd68PxC1K6WMnEgF+NVlVfn08vil0PtdkBgfiiv+RzBSeCE9hUvQ
         gS4A==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=dyFEzqwE;
       arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com);
       spf=pass (google.com: domain of linux-bluetooth+bounces-4868-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-4868-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-bluetooth+bounces-4868-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id af79cd13be357-792d2f65856si2695930985a.307.2024.05.22.11.44.16
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 22 May 2024 11:44:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-4868-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=dyFEzqwE;
       arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com);
       spf=pass (google.com: domain of linux-bluetooth+bounces-4868-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-4868-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 6EB1E1C21558
	for <linux.lists.archive@gmail.com>; Wed, 22 May 2024 18:44:16 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 5FECE146004;
	Wed, 22 May 2024 18:44:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dyFEzqwE"
X-Original-To: linux-bluetooth@vger.kernel.org
Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com [209.85.208.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2383C210EC
	for <linux-bluetooth@vger.kernel.org>; Wed, 22 May 2024 18:44:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.174
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1716403450; cv=none; b=qRPxOEZ6TRxlOYG/5v2EePi8szxIUEH9o6ifgkRqi6tXsT3tacs6JmKeDrVjoZsSE6QVvz9KpbDAc4YpVTZk8bfIiP4XLm+FS3N08ezsJVtJBfR0KmG9Z5tHUQTeC4AVtArAk72lAiJ28DUCir7pva+aImN+1pNActTdGyUanvI=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1716403450; c=relaxed/simple;
	bh=Ji2hNR62HJExgnXzCsmRMWLeJvT4xObu7J7qdDKWxZo=;
	h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:
	 To:Cc:Content-Type; b=WNVu55YzQcjgnu0VkwXU5FCqtsG7pSmoEBKQDgCXdVOGrxjUhOySvUU6wqZsiQSnwOIh/zxHmq4Z42PrUZiVlEGI9AxZi5vqXO3EjB34fSEbrLyYcuXt8wAvY87QMQfZGZ8yVkoDJPQ8nmXtm/OZrSUfd8xOOAr0zDtvL7hEJ7E=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dyFEzqwE; arc=none smtp.client-ip=209.85.208.174
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-lj1-f174.google.com with SMTP id 38308e7fff4ca-2e719bab882so51154441fa.3
        for <linux-bluetooth@vger.kernel.org>; Wed, 22 May 2024 11:44:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1716403447; x=1717008247; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=0R/H2ZxRgcTDKjoml22C7/U25tmAJzn0uDdpWw2qbq4=;
        b=dyFEzqwEh5rKvz5K620bs6JoPPs+yTzHr5E8rHWa0y0j0MgWFdZwSmI8wj2SaXD2vX
         YnLp2xnqR/5NyscDA8LxbnVYfXG7i1qbOJxQwfmwtSTMHXVS2He96kLtO3I0VuBv8pwK
         qAhPGkHGRPR3h1+Z38JKgh20xa9YmoX7oO9kMOsPKU3Ddy2cLnKB2MpCdUVgSyT+31Cu
         Du7kHBah4iw5KyoWD6o3oMQ9AE28MX8d/cmJnbcLGxMxloyh/BVOc9nihDIeycMvIq6B
         5M7bTOuzgSDaONyJFGIIyXtcwC99yopnX2hfr9Usl6/OtP6yiOvb5Xv5+1/Qk2Xcc5Ee
         2T3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1716403447; x=1717008247;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=0R/H2ZxRgcTDKjoml22C7/U25tmAJzn0uDdpWw2qbq4=;
        b=Q2m8P6uqNFfCMW7SRVJY0UBFYDySmeXGW4r28wpQEKgQjQybuoGkrNxy1Tm0oHQsgQ
         jkBhMdnPTzU76Z9sDBXFdDFWQCX2n6SZJ5sXlavEGrleIurtzyVRxyvB5OcCo5NlTdVF
         qJin7DQfJ97C8CiCYjUCxXhkbo51Z7ymF1NygWECM8kh8z4HVi9EwLKnEWlIFqwdCUA2
         TZXqpWFhHqHHtHeM6Xwkwz9Vz9m4O6DvesEkuCPnF54NmB5+d/eVgSLKQP4uIJJo09AW
         V00TXnf5CHSeiV8pS77byoTvoaqz7FSmX+VWkdWsEpG1QAGU8aN+PZeTolQfW/cwPOJG
         gOVA==
X-Gm-Message-State: AOJu0YyVcGmvu+QHEwa585sSQFv4M7zNkkjCZGrVBWr/AXMfTweopgve
	sirGWG64s80NWRQg8GQywmRjeezrdCWnmQSzttpwC/DZdof3WgR8Gh7dOj40ujwSi82sRzp0wlE
	pSbA1Kd/IIGc8EZRxVAEAphgARsruGw==
X-Received: by 2002:a2e:9c07:0:b0:2e5:15d0:511c with SMTP id
 38308e7fff4ca-2e94969e177mr17656601fa.40.1716403446940; Wed, 22 May 2024
 11:44:06 -0700 (PDT)
Precedence: bulk
X-Mailing-List: linux-bluetooth@vger.kernel.org
List-Id: <linux-bluetooth.vger.kernel.org>
List-Subscribe: <mailto:linux-bluetooth+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-bluetooth+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: <20240522064504.7560-1-quic_nakella@quicinc.com>
In-Reply-To: <20240522064504.7560-1-quic_nakella@quicinc.com>
From: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Date: Wed, 22 May 2024 14:43:54 -0400
Message-ID: <CABBYNZLX0PGEVEFhtWGiLdCN4gJTyg+mqSmRiq2y0sT--skjPQ@mail.gmail.com>
Subject: Re: [PATCH v3] Adding Sepolicy rules to allow bluetoothctl and
 dbus-daemon to access unix stream sockets.
To: Naga Bhavani Akella <quic_nakella@quicinc.com>
Cc: linux-bluetooth@vger.kernel.org, quic_mohamull@quicinc.com, 
	quic_hbandi@quicinc.com, quic_anubhavg@quicinc.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Naga,

On Wed, May 22, 2024 at 2:46=E2=80=AFAM Naga Bhavani Akella
<quic_nakella@quicinc.com> wrote:
>
> Required for using acquire-notify, acquire-write options (Gatt Client)
> and Sending notifications (Gatt Server)
>
> Below are the avc denials that are fixed with this patch -
>
> 1. audit: type=3D1400 audit(1651238006.276:496):
> avc:  denied  { read write } for  pid=3D2165 comm=3D"bluetoothd"
> path=3D"socket:[43207]" dev=3D"sockfs" ino=3D43207
> scontext=3Dsystem_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=3Dsystem_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=3Dunix_stream_socket permissive=3D1
> 2. audit: type=3D1400 audit(1651238006.276:497):
> avc:  denied  { getattr } for  pid=3D2165 comm=3D"bluetoothd"
> path=3D"socket:[43207]" dev=3D"sockfs" ino=3D43207
> scontext=3Dsystem_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=3Dsystem_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=3Dunix_stream_socket permissive=3D1
> 3. audit: type=3D1400 audit(1651238006.272:495):
> avc:  denied  { read write } for  pid=3D689 comm=3D"dbus-daemon"
> path=3D"socket:[43207]" dev=3D"sockfs" ino=3D43207
> scontext=3Dsystem_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=3Dsystem_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=3Dunix_stream_socket permissive=3D1
> 4. audit: type=3D1400 audit(315966559.395:444):
> avc:  denied  { use } for  pid=3D710 comm=3D"dbus-daemon"
> path=3D"socket:[13196]" dev=3D"sockfs" ino=3D13196
> scontext=3Dsystem_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=3Dsystem_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=3Dfd permissive=3D0
> 5. audit: type=3D1400 audit(315999854.939:523):
> avc:  denied  { read write } for  pid=3D812 comm=3D"dbus-daemon"
> path=3D"socket:[99469]" dev=3D"sockfs" ino=3D99469
> scontext=3Dsystem_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=3Dsystem_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=3Dbluetooth_socket permissive=3D1
>
> Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com>
> ---
>  policy/modules/apps/pulseaudio.te    |  2 +-
>  policy/modules/services/bluetooth.if | 23 +++++++++++++++++++++++
>  policy/modules/services/dbus.te      |  2 +-
>  policy/modules/services/obex.te      |  2 +-
>  4 files changed, 26 insertions(+), 3 deletions(-)

Where is this coming from? I don't think we even have a policy folder,
and this might be an are where the distros want to have their own
policies so I'm not sure if we shall have this upstream, or perhaps
this is just for reference?

> diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/puls=
eaudio.te
> index 65b9a7428..42ed3a1d2 100644
> --- a/policy/modules/apps/pulseaudio.te
> +++ b/policy/modules/apps/pulseaudio.te
> @@ -193,7 +193,7 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> -       bluetooth_stream_connect(pulseaudio_t)
> +       bluetooth_use(pulseaudio_t)
>  ')
>
>  optional_policy(`
> diff --git a/policy/modules/services/bluetooth.if b/policy/modules/servic=
es/bluetooth.if
> index c7e1c3f14..edead1fa1 100644
> --- a/policy/modules/services/bluetooth.if
> +++ b/policy/modules/services/bluetooth.if
> @@ -85,6 +85,29 @@ interface(`bluetooth_stream_connect',`
>         stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime=
_t, bluetooth_t)
>  ')
>
> +#####################################
> +## <summary>
> +##     Connect to bluetooth over a unix domain
> +##     stream socket.
> +## </summary>
> +## <param name=3D"domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`bluetooth_use',`
> +       gen_require(`
> +               type bluetooth_t, bluetooth_runtime_t;
> +       ')
> +
> +       files_search_runtime($1)
> +       allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
> +       allow $1 bluetooth_t:unix_stream_socket { connectto rw_socket_per=
ms };
> +       allow $1 bluetooth_t:fd use;
> +       bluetooth_stream_connect($1);
> +')
> +
>  ########################################
>  ## <summary>
>  ##     Execute bluetooth in the bluetooth domain.
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/db=
us.te
> index 2d1d09d71..855ce86bd 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -265,7 +265,7 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> -       bluetooth_stream_connect(system_dbusd_t)
> +       bluetooth_use(system_dbusd_t)
>  ')
>
>  optional_policy(`
> diff --git a/policy/modules/services/obex.te b/policy/modules/services/ob=
ex.te
> index 6686edb37..5e2f20578 100644
> --- a/policy/modules/services/obex.te
> +++ b/policy/modules/services/obex.te
> @@ -31,7 +31,7 @@ miscfiles_read_localization(obex_t)
>  userdom_search_user_home_content(obex_t)
>
>  optional_policy(`
> -       bluetooth_stream_connect(obex_t)
> +       bluetooth_use(obex_t)
>  ')
>
>  optional_policy(`
> --
>


--=20
Luiz Augusto von Dentz