Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp2940807lqo; Tue, 21 May 2024 01:43:57 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXzAXPJqL7+waSW6oVy4juR0VCf00KCij2+F3ws3Ei4X+wLnpHi/OrfVKPgTezoJWTflKk568RJzNTNKHWhCiwAECMxM2INZak4hPkoaw== X-Google-Smtp-Source: AGHT+IEH0Tb2JRTgBBCtLTYq8iFdXF9sbuZZ3hr9AqfOMAybld/paK85uSPEQM/ahPJh8FpX/nXB X-Received: by 2002:a50:9fc9:0:b0:56e:24a5:587a with SMTP id 4fb4d7f45d1cf-5734d5bec0fmr24693422a12.11.1716281037294; Tue, 21 May 2024 01:43:57 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716281037; cv=pass; d=google.com; s=arc-20160816; b=RN6x2kJs63U0+WTiytcKWwoPfAb0VHWnqUOpTWoUpooAxG7cCbxxicA4kjgHQTh6H/ 4RJ75M7rx/61A3ZKPneyWeWnIF3GslRaM2SWXAJ2EYUMJ/cTR50Pt0coPFYmhQh6cmxh KbbjN+2xaNwDFvqK3rGl/HK2v9w/yXZj+VVyriMfYbMHNkUEnlWprVjWFBhTT0AxSmGU yIHutHWGAT88y/MmgkAlVZ9LZIewf50ch9SQsDb96hl7BMUOn5Ex8fl7E7Pak0KlzGKc 3CB1YoFID2jMYCOfAGlADBCLB7ldAVyOP+1viXY/rrrekAn20OnW8ITGHp97iMRvSk0e mYLQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :message-id:date:subject:cc:to:from:dkim-signature; bh=tAw3stknskKw5l0OPFjcnRd3z0TWOGMfDw0gd412QHE=; fh=KbreB3X5w5PX89R/JhNeRPZtSm6GfztEz9WxktC6eQ0=; b=bpMD363J79FVAsJhXNOI4f4WfxKxyjmxIdL4HdfUVqGvJ8CZYqD3u6FdRbdxrv2Dcl L9DMvgwobvqhp9RRNRwyyjKkeIiEUijKvf+aIjSuVkBZEBYK84oC6VPUmqLBQC8tjruH eW0BGgOKC4C9m9FUowOqbOlPntP1JAw4TanwZ6KpHCLHGll6TaDsoUQIKStrPV28vl9l 6itnORD2ua6aoAifH0Vs6FHNvv2WfLtyESpneMC8CPuYG9fMoJ/Yfr/sYpYkW9qgxQhc xjMcPD0Dm2XZ1gcTPXE7MscpW0BKdQhKFQYAa8N+xpRHvJEozBM4qf+DnXXDdUxIWOJw VaSg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=E0zPQbsI; arc=pass (i=1 spf=pass spfdomain=quicinc.com dkim=pass dkdomain=quicinc.com dmarc=pass fromdomain=quicinc.com); spf=pass (google.com: domain of selinux-refpolicy+bounces-17-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="selinux-refpolicy+bounces-17-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id 4fb4d7f45d1cf-5733c36d4dfsi13868735a12.536.2024.05.21.01.43.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 May 2024 01:43:57 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy+bounces-17-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=E0zPQbsI; arc=pass (i=1 spf=pass spfdomain=quicinc.com dkim=pass dkdomain=quicinc.com dmarc=pass fromdomain=quicinc.com); spf=pass (google.com: domain of selinux-refpolicy+bounces-17-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="selinux-refpolicy+bounces-17-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id C95531F220E0 for ; Tue, 21 May 2024 08:43:56 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 93AF056759; Tue, 21 May 2024 08:43:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="E0zPQbsI" X-Original-To: selinux-refpolicy@vger.kernel.org Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B9E5354BDB for ; Tue, 21 May 2024 08:43:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716281028; cv=none; b=cSHNb6pa7UXyPA/RlPRhk1EO77uo46kWkwPXVLLL4e98QvGga5k1Y9SVMC/RL/hJIu8XGEz7eTV3m1cQ4aX0pVr9/bDYmdHT0ZZ3mtXAve6fAXAQ/c2JhJ2H/9gsKJ6Qxcq8+qqk5QXypIPJdZYJ1ZQHgcNZl+VagI1B1fXiDW0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716281028; c=relaxed/simple; bh=7rqhcpFKI/x3RpnNruHGu/MFntHYEGHO09J9uhWYp2A=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=uXViHxD+CS8h8RvdymV7j5yS80I+INHjCq1uyDGlJPIRzg+JYGirBznvVn6MVhmLc440VB+5ZSSgvSCs76ZGbka+DY1WD0+QRo9SUzRlv/4t+qXWqcD9oyIyPkLXm9SH5MUsnUug+1XijfXHQoRDNxNRYxCxvMMCNnlccHXhx34= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=E0zPQbsI; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Received: from pps.filterd (m0279869.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 44L20FnY018275 for ; Tue, 21 May 2024 08:43:44 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= from:to:cc:subject:date:message-id:mime-version:content-type; s= qcppdkim1; bh=tAw3stknskKw5l0OPFjcnRd3z0TWOGMfDw0gd412QHE=; b=E0 zPQbsIyIWkuQDrckAhfNPlqMf4dZ5TLbKO1bNeQl2SM4uSLErATz5+D74yX6xsrg Cv1A2r89b7gucLu/vD23z2u6x+KK1a5Ts57d7k2u28ox3T0WU1B92kp/3lTRicSI jKojfZk3wfJsWtQl0rGlhch28MHyCZkpvI/5KGKwOm7PMBGq5K+6tXLjDywyq37T mSuYUXxL4UImsTw4LqyKtBJVWI6gBpaA4utcqkwcdh41m+6P1wVUY2U8BAo5RRVT UM71SZ0VIi0POB4dsPoLGJxt/8TYlXUSv8ias28c0M/ewVAy/ZszhJk9spkOX+0c xRVFz+d6iHHDzBqviFMg== Received: from nasanppmta01.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3y6n4p5vj9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 21 May 2024 08:43:44 +0000 (GMT) Received: from nasanex01b.na.qualcomm.com (nasanex01b.na.qualcomm.com [10.46.141.250]) by NASANPPMTA01.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 44L8hhq2020299 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 21 May 2024 08:43:43 GMT Received: from hu-nakella-hyd.qualcomm.com (10.80.80.8) by nasanex01b.na.qualcomm.com (10.46.141.250) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.9; Tue, 21 May 2024 01:43:40 -0700 From: Naga Bhavani Akella To: CC: , , , Naga Bhavani Akella Subject: [PATCH 2/2] Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets. Date: Tue, 21 May 2024 14:13:23 +0530 Message-ID: <20240521084323.14200-1-quic_nakella@quicinc.com> X-Mailer: git-send-email 2.17.1 Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nasanex01b.na.qualcomm.com (10.46.141.250) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: -v9YkXr8SvohiDVWkB2SxGWQvFdcsZl0 X-Proofpoint-GUID: -v9YkXr8SvohiDVWkB2SxGWQvFdcsZl0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-21_04,2024-05-21_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 bulkscore=0 lowpriorityscore=0 mlxscore=0 malwarescore=0 spamscore=0 impostorscore=0 clxscore=1015 phishscore=0 suspectscore=0 adultscore=0 mlxlogscore=967 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2405010000 definitions=main-2405210063 Required for using acquire-notify, acquire-write options (Gatt Client) and Sending notifications (Gatt Server) Below are the avc denials that are fixed with this patch - 1. audit: type=1400 audit(1651238006.276:496): avc: denied { read write } for pid=2165 comm="bluetoothd" path="socket:[43207]" dev="sockfs" ino=43207 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=unix_stream_socket permissive=1 2. audit: type=1400 audit(1651238006.276:497): avc: denied { getattr } for pid=2165 comm="bluetoothd" path="socket:[43207]" dev="sockfs" ino=43207 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=unix_stream_socket permissive=1 3. audit: type=1400 audit(1651238006.272:495): avc: denied { read write } for pid=689 comm="dbus-daemon" path="socket:[43207]" dev="sockfs" ino=43207 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=unix_stream_socket permissive=1 4. audit: type=1400 audit(315966559.395:444): avc: denied { use } for pid=710 comm="dbus-daemon" path="socket:[13196]" dev="sockfs" ino=13196 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tclass=fd permissive=0 5. audit: type=1400 audit(315999854.939:523): avc: denied { read write } for pid=812 comm="dbus-daemon" path="socket:[99469]" dev="sockfs" ino=99469 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 Signed-off-by: Naga Bhavani Akella --- policy/modules/apps/pulseaudio.te | 1 + policy/modules/services/bluetooth.if | 22 ++++++++++++++++++++++ policy/modules/services/dbus.te | 1 + policy/modules/services/obex.te | 1 + 4 files changed, 25 insertions(+) diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te index 65b9a7428..9bf69bedc 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -194,6 +194,7 @@ optional_policy(` optional_policy(` bluetooth_stream_connect(pulseaudio_t) + bluetooth_socket_connect(pulseaudio_t) ') optional_policy(` diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index c7e1c3f14..dd26d95f4 100644 --- a/policy/modules/services/bluetooth.if +++ b/policy/modules/services/bluetooth.if @@ -85,6 +85,28 @@ interface(`bluetooth_stream_connect',` stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t) ') +##################################### +## +## Connect to bluetooth over a unix domain +## stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`bluetooth_socket_connect',` + gen_require(` + type bluetooth_t, bluetooth_runtime_t; + ') + + files_search_runtime($1) + allow $1 bluetooth_t:bluetooth_socket rw_socket_perms; + allow $1 bluetooth_t:unix_stream_socket { accept connectto listen rw_socket_perms }; + allow $1 bluetooth_t:fd use; +') + ######################################## ## ## Execute bluetooth in the bluetooth domain. diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 2d1d09d71..301c81aa5 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -266,6 +266,7 @@ optional_policy(` optional_policy(` bluetooth_stream_connect(system_dbusd_t) + bluetooth_socket_connect(system_dbusd_t) ') optional_policy(` diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te index 6686edb37..edbdc7ecf 100644 --- a/policy/modules/services/obex.te +++ b/policy/modules/services/obex.te @@ -32,6 +32,7 @@ userdom_search_user_home_content(obex_t) optional_policy(` bluetooth_stream_connect(obex_t) + bluetooth_socket_connect(obex_t) ') optional_policy(` --