2024-05-27 07:50:14

by Naga Bhavani Akella

[permalink] [raw]
Subject: [PATCH v4] Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets.

Required for using acquire-notify, acquire-write options (Gatt Client)
and Sending notifications (Gatt Server)

Below are the avc denials that are fixed with this patch -

1. audit: type=1400 audit(315966559.395:444):
avc: denied { use } for pid=710 comm="dbus-daemon"
path="socket:[13196]" dev="sockfs" ino=13196
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=fd permissive=0
2. audit: type=1400 audit(315999854.939:523):
avc: denied { read write } for pid=812 comm="dbus-daemon"
path="socket:[99469]" dev="sockfs" ino=99469
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=bluetooth_socket permissive=1

Signed-off-by: Naga Bhavani Akella <[email protected]>
---
policy/modules/apps/pulseaudio.te | 2 +-
policy/modules/services/bluetooth.if | 24 ++++++++++++++++++++++++
policy/modules/services/dbus.te | 2 +-
policy/modules/services/obex.te | 2 +-
4 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 65b9a7428..42ed3a1d2 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -193,7 +193,7 @@ optional_policy(`
')

optional_policy(`
- bluetooth_stream_connect(pulseaudio_t)
+ bluetooth_use(pulseaudio_t)
')

optional_policy(`
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index c7e1c3f14..b21dac021 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -85,6 +85,30 @@ interface(`bluetooth_stream_connect',`
stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
')

+#####################################
+## <summary>
+## Connect to bluetooth over a unix domain
+## stream socket. The socket can be used
+## for read and write.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bluetooth_use',`
+ gen_require(`
+ type bluetooth_t, bluetooth_runtime_t;
+ ')
+
+ files_search_runtime($1)
+ allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
+ allow $1 bluetooth_t:unix_stream_socket rw_socket_perms;
+ allow $1 bluetooth_t:fd use;
+ bluetooth_stream_connect($1);
+')
+
########################################
## <summary>
## Execute bluetooth in the bluetooth domain.
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 2d1d09d71..855ce86bd 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -265,7 +265,7 @@ optional_policy(`
')

optional_policy(`
- bluetooth_stream_connect(system_dbusd_t)
+ bluetooth_use(system_dbusd_t)
')

optional_policy(`
diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
index 6686edb37..5e2f20578 100644
--- a/policy/modules/services/obex.te
+++ b/policy/modules/services/obex.te
@@ -31,7 +31,7 @@ miscfiles_read_localization(obex_t)
userdom_search_user_home_content(obex_t)

optional_policy(`
- bluetooth_stream_connect(obex_t)
+ bluetooth_use(obex_t)
')

optional_policy(`
--


2024-05-31 07:26:27

by Naga Bhavani Akella

[permalink] [raw]
Subject: Re: [PATCH v4] Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets.

hi Chris PeBenito,

Could you please review the change and suggest if something needs to be modified.

On 5/27/2024 1:19 PM, Naga Bhavani Akella wrote:
> Required for using acquire-notify, acquire-write options (Gatt Client)
> and Sending notifications (Gatt Server)
>
> Below are the avc denials that are fixed with this patch -
>
> 1. audit: type=1400 audit(315966559.395:444):
> avc: denied { use } for pid=710 comm="dbus-daemon"
> path="socket:[13196]" dev="sockfs" ino=13196
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=fd permissive=0
> 2. audit: type=1400 audit(315999854.939:523):
> avc: denied { read write } for pid=812 comm="dbus-daemon"
> path="socket:[99469]" dev="sockfs" ino=99469
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=bluetooth_socket permissive=1
>
> Signed-off-by: Naga Bhavani Akella <[email protected]>
> ---
> policy/modules/apps/pulseaudio.te | 2 +-
> policy/modules/services/bluetooth.if | 24 ++++++++++++++++++++++++
> policy/modules/services/dbus.te | 2 +-
> policy/modules/services/obex.te | 2 +-
> 4 files changed, 27 insertions(+), 3 deletions(-)
>
> diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
> index 65b9a7428..42ed3a1d2 100644
> --- a/policy/modules/apps/pulseaudio.te
> +++ b/policy/modules/apps/pulseaudio.te
> @@ -193,7 +193,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> - bluetooth_stream_connect(pulseaudio_t)
> + bluetooth_use(pulseaudio_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
> index c7e1c3f14..b21dac021 100644
> --- a/policy/modules/services/bluetooth.if
> +++ b/policy/modules/services/bluetooth.if
> @@ -85,6 +85,30 @@ interface(`bluetooth_stream_connect',`
> stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
> ')
>
> +#####################################
> +## <summary>
> +## Connect to bluetooth over a unix domain
> +## stream socket. The socket can be used
> +## for read and write.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`bluetooth_use',`
> + gen_require(`
> + type bluetooth_t, bluetooth_runtime_t;
> + ')
> +
> + files_search_runtime($1)
> + allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
> + allow $1 bluetooth_t:unix_stream_socket rw_socket_perms;
> + allow $1 bluetooth_t:fd use;
> + bluetooth_stream_connect($1);
> +')
> +
> ########################################
> ## <summary>
> ## Execute bluetooth in the bluetooth domain.
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 2d1d09d71..855ce86bd 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -265,7 +265,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> - bluetooth_stream_connect(system_dbusd_t)
> + bluetooth_use(system_dbusd_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
> index 6686edb37..5e2f20578 100644
> --- a/policy/modules/services/obex.te
> +++ b/policy/modules/services/obex.te
> @@ -31,7 +31,7 @@ miscfiles_read_localization(obex_t)
> userdom_search_user_home_content(obex_t)
>
> optional_policy(`
> - bluetooth_stream_connect(obex_t)
> + bluetooth_use(obex_t)
> ')
>
> optional_policy(`

--
Naga Bhavani Akella

2024-06-04 13:56:18

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH v4] Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets.

On 5/27/2024 3:49 AM, Naga Bhavani Akella wrote:
> Required for using acquire-notify, acquire-write options (Gatt Client)
> and Sending notifications (Gatt Server)
>
> Below are the avc denials that are fixed with this patch -
>
> 1. audit: type=1400 audit(315966559.395:444):
> avc: denied { use } for pid=710 comm="dbus-daemon"
> path="socket:[13196]" dev="sockfs" ino=13196
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=fd permissive=0
> 2. audit: type=1400 audit(315999854.939:523):
> avc: denied { read write } for pid=812 comm="dbus-daemon"
> path="socket:[99469]" dev="sockfs" ino=99469
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=bluetooth_socket permissive=1
>
> Signed-off-by: Naga Bhavani Akella <[email protected]>
> ---
> policy/modules/apps/pulseaudio.te | 2 +-
> policy/modules/services/bluetooth.if | 24 ++++++++++++++++++++++++
> policy/modules/services/dbus.te | 2 +-
> policy/modules/services/obex.te | 2 +-
> 4 files changed, 27 insertions(+), 3 deletions(-)
>
> diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
> index 65b9a7428..42ed3a1d2 100644
> --- a/policy/modules/apps/pulseaudio.te
> +++ b/policy/modules/apps/pulseaudio.te
> @@ -193,7 +193,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> - bluetooth_stream_connect(pulseaudio_t)
> + bluetooth_use(pulseaudio_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
> index c7e1c3f14..b21dac021 100644
> --- a/policy/modules/services/bluetooth.if
> +++ b/policy/modules/services/bluetooth.if
> @@ -85,6 +85,30 @@ interface(`bluetooth_stream_connect',`
> stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
> ')
>
> +#####################################
> +## <summary>
> +## Connect to bluetooth over a unix domain
> +## stream socket. The socket can be used
> +## for read and write.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`bluetooth_use',`
> + gen_require(`
> + type bluetooth_t, bluetooth_runtime_t;
> + ')
> +
> + files_search_runtime($1)
> + allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
> + allow $1 bluetooth_t:unix_stream_socket rw_socket_perms;
> + allow $1 bluetooth_t:fd use;
> + bluetooth_stream_connect($1);
> +')
> +
> ########################################
> ## <summary>
> ## Execute bluetooth in the bluetooth domain.
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 2d1d09d71..855ce86bd 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -265,7 +265,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> - bluetooth_stream_connect(system_dbusd_t)
> + bluetooth_use(system_dbusd_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
> index 6686edb37..5e2f20578 100644
> --- a/policy/modules/services/obex.te
> +++ b/policy/modules/services/obex.te
> @@ -31,7 +31,7 @@ miscfiles_read_localization(obex_t)
> userdom_search_user_home_content(obex_t)
>
> optional_policy(`
> - bluetooth_stream_connect(obex_t)
> + bluetooth_use(obex_t)
> ')
>
> optional_policy(`

Merged. There were a couple lint issues that I fixed.

Thanks!


--
Chris PeBenito


2024-06-05 06:39:14

by Naga Bhavani Akella

[permalink] [raw]
Subject: Re: [PATCH v4] Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets.

Hi Chris PeBenito,

We have an add-on query regarding bluetoothctl context

Based on your comment on patchset 2
>> Yes, the point is that we probably need a bluetoothctl_t domain so the configuration can be done only via the bluetoothctl process, not just any initrc_t process. The existing bluetooth_helper_t domain may possibly be renamed/retrofitted for this purpose.
We tried adding bluetooth_helper_t domain for bluetoothctl using
"/usr/bin/bluetoothctl -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)"
but it was running in initrc_t context as shown when"ps -eZ | grep bluetoothctl" is run.

Could you help us with this issue if it is already known.

Thanks!

On 6/4/2024 7:26 PM, Chris PeBenito wrote:
> On 5/27/2024 3:49 AM, Naga Bhavani Akella wrote:
>> Required for using acquire-notify, acquire-write options (Gatt Client)
>> and Sending notifications (Gatt Server)
>>
>> Below are the avc denials that are fixed with this patch -
>>
>> 1. audit: type=1400 audit(315966559.395:444):
>> avc:  denied  { use } for  pid=710 comm="dbus-daemon"
>> path="socket:[13196]" dev="sockfs" ino=13196
>> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
>> tclass=fd permissive=0
>> 2. audit: type=1400 audit(315999854.939:523):
>> avc:  denied  { read write } for  pid=812 comm="dbus-daemon"
>> path="socket:[99469]" dev="sockfs" ino=99469
>> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
>> tclass=bluetooth_socket permissive=1
>>
>> Signed-off-by: Naga Bhavani Akella <[email protected]>
>> ---
>>   policy/modules/apps/pulseaudio.te    |  2 +-
>>   policy/modules/services/bluetooth.if | 24 ++++++++++++++++++++++++
>>   policy/modules/services/dbus.te      |  2 +-
>>   policy/modules/services/obex.te      |  2 +-
>>   4 files changed, 27 insertions(+), 3 deletions(-)
>>
>> diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
>> index 65b9a7428..42ed3a1d2 100644
>> --- a/policy/modules/apps/pulseaudio.te
>> +++ b/policy/modules/apps/pulseaudio.te
>> @@ -193,7 +193,7 @@ optional_policy(`
>>   ')
>>     optional_policy(`
>> -    bluetooth_stream_connect(pulseaudio_t)
>> +    bluetooth_use(pulseaudio_t)
>>   ')
>>     optional_policy(`
>> diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
>> index c7e1c3f14..b21dac021 100644
>> --- a/policy/modules/services/bluetooth.if
>> +++ b/policy/modules/services/bluetooth.if
>> @@ -85,6 +85,30 @@ interface(`bluetooth_stream_connect',`
>>       stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
>>   ')
>>   +#####################################
>> +## <summary>
>> +##    Connect to bluetooth over a unix domain
>> +##    stream socket. The socket can be used
>> +##      for read and write.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`bluetooth_use',`
>> +    gen_require(`
>> +        type bluetooth_t, bluetooth_runtime_t;
>> +    ')
>> +
>> +    files_search_runtime($1)
>> +    allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
>> +    allow $1 bluetooth_t:unix_stream_socket rw_socket_perms;
>> +    allow $1 bluetooth_t:fd use;
>> +    bluetooth_stream_connect($1);
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##    Execute bluetooth in the bluetooth domain.
>> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
>> index 2d1d09d71..855ce86bd 100644
>> --- a/policy/modules/services/dbus.te
>> +++ b/policy/modules/services/dbus.te
>> @@ -265,7 +265,7 @@ optional_policy(`
>>   ')
>>     optional_policy(`
>> -    bluetooth_stream_connect(system_dbusd_t)
>> +    bluetooth_use(system_dbusd_t)
>>   ')
>>     optional_policy(`
>> diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
>> index 6686edb37..5e2f20578 100644
>> --- a/policy/modules/services/obex.te
>> +++ b/policy/modules/services/obex.te
>> @@ -31,7 +31,7 @@ miscfiles_read_localization(obex_t)
>>   userdom_search_user_home_content(obex_t)
>>     optional_policy(`
>> -    bluetooth_stream_connect(obex_t)
>> +    bluetooth_use(obex_t)
>>   ')
>>     optional_policy(`
>
> Merged.  There were a couple lint issues that I fixed.
>
> Thanks!
>
>

2024-06-05 18:48:02

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH v4] Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets.

On 6/5/2024 2:38 AM, Naga Bhavani Akella wrote:
> Hi Chris PeBenito,
>
> We have an add-on query regarding bluetoothctl context
>
> Based on your comment on patchset 2
>>> Yes, the point is that we probably need a bluetoothctl_t domain so the configuration can be done only via the bluetoothctl process, not just any initrc_t process. The existing bluetooth_helper_t domain may possibly be renamed/retrofitted for this purpose.
> We tried adding bluetooth_helper_t domain for bluetoothctl using
> "/usr/bin/bluetoothctl -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)"
> but it was running in initrc_t context as shown when"ps -eZ | grep bluetoothctl" is run.
>
> Could you help us with this issue if it is already known.

You would need to add:

init_system_domain(bluetooth_helper_t, bluetooth_helper_exec_t)

That, among other things, would allw the domain transition from initrc_t
to bluetooth_helper_t when running bluetooth_helper_exec_t.

--
Chris PeBenito