2024-05-14 07:22:13

by Naga Bhavani Akella

[permalink] [raw]
Subject: [PATCH v1] Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets.

Required for using acquire-notify, acquire-write options (Gatt Client)
and Sending notifications (Gatt Server)

Below are the avc denials that are fixed with this patch -

1. audit: type=1400 audit(1651238006.276:496):
avc: denied { read write } for pid=2165 comm="bluetoothd"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
2. audit: type=1400 audit(1651238006.276:497):
avc: denied { getattr } for pid=2165 comm="bluetoothd"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
3. audit: type=1400 audit(1651238006.272:495):
avc: denied { read write } for pid=689 comm="dbus-daemon"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
4. audit: type=1400 audit(315966559.395:444):
avc: denied { use } for pid=710 comm="dbus-daemon"
path="socket:[13196]" dev="sockfs" ino=13196
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=fd permissive=0
5. audit: type=1400 audit(315999854.939:523):
avc: denied { read write } for pid=812 comm="dbus-daemon"
path="socket:[99469]" dev="sockfs" ino=99469
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=bluetooth_socket permissive=1

Signed-off-by: Naga Bhavani Akella <[email protected]>
---
policy/modules/services/bluetooth.fc | 1 +
policy/modules/services/bluetooth.if | 3 +++
2 files changed, 4 insertions(+)

diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc
index e167e93f7..03f42fc8b 100644
--- a/policy/modules/services/bluetooth.fc
+++ b/policy/modules/services/bluetooth.fc
@@ -7,6 +7,7 @@

/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
/usr/bin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/bluetoothctl -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index c7e1c3f14..c869eed71 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -82,6 +82,9 @@ interface(`bluetooth_stream_connect',`

files_search_runtime($1)
allow $1 bluetooth_t:socket rw_socket_perms;
+ allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
+ allow $1 bluetooth_t:unix_stream_socket { accept connectto listen rw_socket_perms };
+ allow $1 bluetooth_t:fd use;
stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
')

--


2024-05-14 20:12:27

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH v1] Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets.

On 5/14/2024 3:21 AM, Naga Bhavani Akella wrote:
> Required for using acquire-notify, acquire-write options (Gatt Client)
> and Sending notifications (Gatt Server)
>
> Below are the avc denials that are fixed with this patch -
>
> 1. audit: type=1400 audit(1651238006.276:496):
> avc: denied { read write } for pid=2165 comm="bluetoothd"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 2. audit: type=1400 audit(1651238006.276:497):
> avc: denied { getattr } for pid=2165 comm="bluetoothd"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 3. audit: type=1400 audit(1651238006.272:495):
> avc: denied { read write } for pid=689 comm="dbus-daemon"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 4. audit: type=1400 audit(315966559.395:444):
> avc: denied { use } for pid=710 comm="dbus-daemon"
> path="socket:[13196]" dev="sockfs" ino=13196
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=fd permissive=0
> 5. audit: type=1400 audit(315999854.939:523):
> avc: denied { read write } for pid=812 comm="dbus-daemon"
> path="socket:[99469]" dev="sockfs" ino=99469
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=bluetooth_socket permissive=1
>
> Signed-off-by: Naga Bhavani Akella <[email protected]>
> ---
> policy/modules/services/bluetooth.fc | 1 +
> policy/modules/services/bluetooth.if | 3 +++
> 2 files changed, 4 insertions(+)
>
> diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc
> index e167e93f7..03f42fc8b 100644
> --- a/policy/modules/services/bluetooth.fc
> +++ b/policy/modules/services/bluetooth.fc
> @@ -7,6 +7,7 @@
>
> /usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
> /usr/bin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
> +/usr/bin/bluetoothctl -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
> /usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
> /usr/bin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
> /usr/bin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
> diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
> index c7e1c3f14..c869eed71 100644
> --- a/policy/modules/services/bluetooth.if
> +++ b/policy/modules/services/bluetooth.if
> @@ -82,6 +82,9 @@ interface(`bluetooth_stream_connect',`
>
> files_search_runtime($1)
> allow $1 bluetooth_t:socket rw_socket_perms;
> + allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
> + allow $1 bluetooth_t:unix_stream_socket { accept connectto listen rw_socket_perms };
> + allow $1 bluetooth_t:fd use;
> stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
> ')

I have two main concerns:

1. is the added access in this interface required for all users that
connect to bluetoothd over a unix domain socket?

2. does bluetoothctl really need all the access of the bluetooth_t
domain? It may only need a small permission set, like udev and udevctl.


--
Chris PeBenito


2024-05-15 07:30:14

by Naga Bhavani Akella

[permalink] [raw]
Subject: Re: [PATCH v1] Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets.

Hi Chris PeBenito,

Thank you for your comments.

On 5/15/2024 1:42 AM, Chris PeBenito wrote:
> On 5/14/2024 3:21 AM, Naga Bhavani Akella wrote:
>> Required for using acquire-notify, acquire-write options (Gatt Client)
>> and Sending notifications (Gatt Server)
>>
>> Below are the avc denials that are fixed with this patch -
>>
>> 1. audit: type=1400 audit(1651238006.276:496):
>> avc:  denied  { read write } for  pid=2165 comm="bluetoothd"
>> path="socket:[43207]" dev="sockfs" ino=43207
>> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
>> tclass=unix_stream_socket permissive=1
>> 2. audit: type=1400 audit(1651238006.276:497):
>> avc:  denied  { getattr } for  pid=2165 comm="bluetoothd"
>> path="socket:[43207]" dev="sockfs" ino=43207
>> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
>> tclass=unix_stream_socket permissive=1
>> 3. audit: type=1400 audit(1651238006.272:495):
>> avc:  denied  { read write } for  pid=689 comm="dbus-daemon"
>> path="socket:[43207]" dev="sockfs" ino=43207
>> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
>> tclass=unix_stream_socket permissive=1
>> 4. audit: type=1400 audit(315966559.395:444):
>> avc:  denied  { use } for  pid=710 comm="dbus-daemon"
>> path="socket:[13196]" dev="sockfs" ino=13196
>> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
>> tclass=fd permissive=0
>> 5. audit: type=1400 audit(315999854.939:523):
>> avc:  denied  { read write } for  pid=812 comm="dbus-daemon"
>> path="socket:[99469]" dev="sockfs" ino=99469
>> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
>> tclass=bluetooth_socket permissive=1
>>
>> Signed-off-by: Naga Bhavani Akella <[email protected]>
>> ---
>>   policy/modules/services/bluetooth.fc | 1 +
>>   policy/modules/services/bluetooth.if | 3 +++
>>   2 files changed, 4 insertions(+)
>>
>> diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc
>> index e167e93f7..03f42fc8b 100644
>> --- a/policy/modules/services/bluetooth.fc
>> +++ b/policy/modules/services/bluetooth.fc
>> @@ -7,6 +7,7 @@
>>     /usr/bin/blue.*pin    --    gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
>>   /usr/bin/bluetoothd    --    gen_context(system_u:object_r:bluetooth_exec_t,s0)
>> +/usr/bin/bluetoothctl    --    gen_context(system_u:object_r:bluetooth_exec_t,s0)
>>   /usr/bin/dund    --    gen_context(system_u:object_r:bluetooth_exec_t,s0)
>>   /usr/bin/hciattach    --    gen_context(system_u:object_r:bluetooth_exec_t,s0)
>>   /usr/bin/hcid    --    gen_context(system_u:object_r:bluetooth_exec_t,s0)
>> diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
>> index c7e1c3f14..c869eed71 100644
>> --- a/policy/modules/services/bluetooth.if
>> +++ b/policy/modules/services/bluetooth.if
>> @@ -82,6 +82,9 @@ interface(`bluetooth_stream_connect',`
>>         files_search_runtime($1)
>>       allow $1 bluetooth_t:socket rw_socket_perms;
>> +    allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
>> +    allow $1 bluetooth_t:unix_stream_socket { accept connectto listen rw_socket_perms };
>> +    allow $1 bluetooth_t:fd use;
>>       stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
>>   ')
>
> I have two main concerns:
>
> 1. is the added access in this interface required for all users that connect to bluetoothd over a unix domain socket?
>
As per my understanding any user who wants to use bluetooth over unix domain has to make dbus calls to bluetoothd. So I feel its required. For example- bluetooth_stream_connect is currently being used by pulseaudio_t and obex_t as well, these services also use dbus methods.
Please let us know your opinion on this or better way to fix these AVC denials.

> 2. does bluetoothctl really need all the access of the bluetooth_t domain?  It may only need a small permission set, like udev and udevctl.
>
>
By default bluetoothctl is running in initrc_t domain so added bluetooth_exec_t domain to bluetoothctl. bluetoothctl is command line tool to access whole bluetooth functionality like pair/unpair/connect/disconnect etc. There are other tools like hciattach, rfcomm which are using same domain bluetooth_exec_t.

- Naga Bhavani Akella

2024-05-15 13:51:24

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH v1] Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets.

On 5/15/2024 3:29 AM, Naga Bhavani Akella wrote:
> Hi Chris PeBenito,
>
> Thank you for your comments.
>
> On 5/15/2024 1:42 AM, Chris PeBenito wrote:
>> On 5/14/2024 3:21 AM, Naga Bhavani Akella wrote:
>>> Required for using acquire-notify, acquire-write options (Gatt Client)
>>> and Sending notifications (Gatt Server)
>>>
>>> Below are the avc denials that are fixed with this patch -
>>>
>>> 1. audit: type=1400 audit(1651238006.276:496):
>>> avc:  denied  { read write } for  pid=2165 comm="bluetoothd"
>>> path="socket:[43207]" dev="sockfs" ino=43207
>>> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
>>> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
>>> tclass=unix_stream_socket permissive=1
>>> 2. audit: type=1400 audit(1651238006.276:497):
>>> avc:  denied  { getattr } for  pid=2165 comm="bluetoothd"
>>> path="socket:[43207]" dev="sockfs" ino=43207
>>> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
>>> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
>>> tclass=unix_stream_socket permissive=1
>>> 3. audit: type=1400 audit(1651238006.272:495):
>>> avc:  denied  { read write } for  pid=689 comm="dbus-daemon"
>>> path="socket:[43207]" dev="sockfs" ino=43207
>>> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
>>> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
>>> tclass=unix_stream_socket permissive=1
>>> 4. audit: type=1400 audit(315966559.395:444):
>>> avc:  denied  { use } for  pid=710 comm="dbus-daemon"
>>> path="socket:[13196]" dev="sockfs" ino=13196
>>> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
>>> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
>>> tclass=fd permissive=0
>>> 5. audit: type=1400 audit(315999854.939:523):
>>> avc:  denied  { read write } for  pid=812 comm="dbus-daemon"
>>> path="socket:[99469]" dev="sockfs" ino=99469
>>> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
>>> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
>>> tclass=bluetooth_socket permissive=1
>>>
>>> Signed-off-by: Naga Bhavani Akella <[email protected]>
>>> ---
>>>   policy/modules/services/bluetooth.fc | 1 +
>>>   policy/modules/services/bluetooth.if | 3 +++
>>>   2 files changed, 4 insertions(+)
>>>
>>> diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc
>>> index e167e93f7..03f42fc8b 100644
>>> --- a/policy/modules/services/bluetooth.fc
>>> +++ b/policy/modules/services/bluetooth.fc
>>> @@ -7,6 +7,7 @@
>>>     /usr/bin/blue.*pin    --    gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
>>>   /usr/bin/bluetoothd    --    gen_context(system_u:object_r:bluetooth_exec_t,s0)
>>> +/usr/bin/bluetoothctl    --    gen_context(system_u:object_r:bluetooth_exec_t,s0)
>>>   /usr/bin/dund    --    gen_context(system_u:object_r:bluetooth_exec_t,s0)
>>>   /usr/bin/hciattach    --    gen_context(system_u:object_r:bluetooth_exec_t,s0)
>>>   /usr/bin/hcid    --    gen_context(system_u:object_r:bluetooth_exec_t,s0)
>>> diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
>>> index c7e1c3f14..c869eed71 100644
>>> --- a/policy/modules/services/bluetooth.if
>>> +++ b/policy/modules/services/bluetooth.if
>>> @@ -82,6 +82,9 @@ interface(`bluetooth_stream_connect',`
>>>         files_search_runtime($1)
>>>       allow $1 bluetooth_t:socket rw_socket_perms;
>>> +    allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
>>> +    allow $1 bluetooth_t:unix_stream_socket { accept connectto listen rw_socket_perms };
>>> +    allow $1 bluetooth_t:fd use;
>>>       stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
>>>   ')
>>
>> I have two main concerns:
>>
>> 1. is the added access in this interface required for all users that connect to bluetoothd over a unix domain socket?
>>
> As per my understanding any user who wants to use bluetooth over unix domain has to make dbus calls to bluetoothd. So I feel its required. For example- bluetooth_stream_connect is currently being used by pulseaudio_t and obex_t as well, these services also use dbus methods.
> Please let us know your opinion on this or better way to fix these AVC denials.

In that case, then a new interface with a more abstract name would be
warranted.


>> 2. does bluetoothctl really need all the access of the bluetooth_t domain?  It may only need a small permission set, like udev and udevctl.
>>
> By default bluetoothctl is running in initrc_t domain so added bluetooth_exec_t domain to bluetoothctl. bluetoothctl is command line tool to access whole bluetooth functionality like pair/unpair/connect/disconnect etc. There are other tools like hciattach, rfcomm which are using same domain bluetooth_exec_t.

Yes, the point is that we probably need a bluetoothctl_t domain so the
configuration can be done only via the bluetoothctl process, not just
any initrc_t process. The existing bluetooth_helper_t domain may
possibly be renamed/retrofitted for this purpose.


--
Chris PeBenito