Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp2947004lqo; Tue, 21 May 2024 02:01:33 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWIt48Duvemys3yTaHMqsgTLAyeCMpJIrm/d8NUd4CeuLKg1/DAAj4GzWlKpVwuI52w/WgWJtk9mRjw4becy1VrW3VghXNVSZzO2lMEkQ== X-Google-Smtp-Source: AGHT+IFkd7OU0g08lSytJ6lLerXb1tb1q8Kd+6gl/vjf3kPbdUJwZGlYDu6fhO9wchlhcgpnZTN1 X-Received: by 2002:a05:620a:4610:b0:792:c7dd:c057 with SMTP id af79cd13be357-792c7ddc885mr3967398785a.72.1716282092711; Tue, 21 May 2024 02:01:32 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716282092; cv=pass; d=google.com; s=arc-20160816; b=ssQMf/UrpedxORccktZUjOlttdHbW8H3ggn6rLP7+6s+1Pz3zqwGyYNAhnRcCi8n9A O+H818m5CIVYbVigeeDA+VNaSqhwXJ1FrzJxI9EgAQc05mrVLRtvBzWMw+QG+ks/TsQk FODIizqrdZJ9/KYbFIuuv0ImiWh4kPzAdkhH5hSxV0Cu4qM+4Dszdq99v6WKIv+CsMT3 tgPu9wwrtSYWJzTFN2R8B0nyQGBeYX4z7kILm9litApa12sN5TPWG2bHNXxv4Ep7Pn37 BQPc2SW+fjwNGoiqqb+3NWRjVXghREgsYgtFMRQ9aWVxgeVWQiEw+ZpL38z8T4OVDsxJ U+yg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=KrljZgSaJ3E/ffyxTfT6ofxKvNX0IxK4BZjK3YaDgVI=; fh=KTglsYublX6v8uKRYTrvyw0D84Ol5ifHLbhX7Hodf5c=; b=0GexRIHjOiw3fTd7sbgUaMSHnAIyopqRpUeXzxajxXR9mj4GL90fDAa1AZ7Z+QKeqY GMVU5lIJ/eFuDo58kGcEtAxcaVi96vObWGw5L/yVQqTbhFhVXtlDzhBToluzP3Fr/BQP U2iL5Wb19aseFfgQHi7PNCZqGyUnHoiWy2d55+UMqCTOmywDkuy7r5cvOTfDgjnZGhj8 7xtUAdKOyRmOlfhn8Z6gK90Eyu/yB69IZyjxpG1QkZgJkMqEBn6whuykB8UFd7xTNWqN mDbZcjXcRuQXBaV3z2u4CHMBthWiXA4x0hIFe04jn0q/eO2d5x0QE929YBJ+8OZp/sS1 gh5Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=Y1fLxiUi; arc=pass (i=1 spf=pass spfdomain=quicinc.com dkim=pass dkdomain=quicinc.com dmarc=pass fromdomain=quicinc.com); spf=pass (google.com: domain of selinux-refpolicy+bounces-18-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="selinux-refpolicy+bounces-18-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id af79cd13be357-7930bd3b8f8si671623485a.102.2024.05.21.02.01.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 May 2024 02:01:32 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy+bounces-18-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=Y1fLxiUi; arc=pass (i=1 spf=pass spfdomain=quicinc.com dkim=pass dkdomain=quicinc.com dmarc=pass fromdomain=quicinc.com); spf=pass (google.com: domain of selinux-refpolicy+bounces-18-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="selinux-refpolicy+bounces-18-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 502A51C2196F for ; Tue, 21 May 2024 09:01:32 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AB95D179BD; Tue, 21 May 2024 09:01:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="Y1fLxiUi" X-Original-To: selinux-refpolicy@vger.kernel.org Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EBB39EAF9 for ; Tue, 21 May 2024 09:01:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716282090; cv=none; b=Nvb0oQNgcjHuz/ngVrWku4e9MRAURsvcZuL5zxLKSTtu6RPgwjQfKlyMa2wQNr9riEZJly+tge1FFvHjCkMfcBrX6JQ51u5Zv4jb19Np56z0mAQGhYMXZFmuZGeSUPhkF/gpVJ8ehpAEv/vgsQIc/vzChCPCoJ+y/4c3YTNbk6A= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716282090; c=relaxed/simple; bh=tpd09tsA7C6aRU6hGGiFpSp5v+SvEhWm831UGbHueW0=; h=Message-ID:Date:MIME-Version:Subject:To:CC:References:From: In-Reply-To:Content-Type; b=lShRQiI5m7ayrI23iAfGWFWaqk32HwzW4Z1TFnqBEL6yMUEeZWCoXzJJwftq8KEI9VTdOp6A50sLR4Bclw/HSATmfhn5syNReoE4LC716jM/nZjg2qWOlnILAz5oHKRpzUQhIbeJH55n9V6VhPn8RKBVsNK+oOozBXcf00Jj5i8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=Y1fLxiUi; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Received: from pps.filterd (m0279868.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 44L4jS3d010453; Tue, 21 May 2024 09:01:26 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= message-id:date:mime-version:subject:to:cc:references:from :in-reply-to:content-type:content-transfer-encoding; s= qcppdkim1; bh=KrljZgSaJ3E/ffyxTfT6ofxKvNX0IxK4BZjK3YaDgVI=; b=Y1 fLxiUiE/71nKuyfSsNh060Xaprv1C3Xmw3BO8yLkeTHEVLG44l9tS6ERBtmyrEEn uitU1lc/y7VanZZO95+C9ra9z+jdIyQNaAdyo7OtaIO9Xc3xvh2HcX9EF0iC2bTy PYbPnYxMXTlezVAi7c/REjcYQTE4vvXIgwb4ImLUPkgYlAlJYkPhdMeN8SrxC7ca peFBDQvAWdOC4MhI1/RRcf37rnFb6Uog4PtY6gtPA4clUCin0PY0EK+TD0nfIFx0 jzvneu7JobtjH6UWakpibci/I98vvW+PKMcY4mpTqliUdAEu4JVeI62PJPNJxCxD zYzhtpoJUAU5utYZxJrg== Received: from nasanppmta02.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3y6pqc5k4f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 21 May 2024 09:01:25 +0000 (GMT) Received: from nasanex01b.na.qualcomm.com (nasanex01b.na.qualcomm.com [10.46.141.250]) by NASANPPMTA02.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 44L91OrA016223 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 21 May 2024 09:01:24 GMT Received: from [10.218.30.62] (10.80.80.8) by nasanex01b.na.qualcomm.com (10.46.141.250) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.9; Tue, 21 May 2024 02:01:22 -0700 Message-ID: Date: Tue, 21 May 2024 14:31:11 +0530 Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2] Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets. To: , Chris PeBenito CC: , , References: <20240521084323.14200-1-quic_nakella@quicinc.com> Content-Language: en-US From: Naga Bhavani Akella In-Reply-To: <20240521084323.14200-1-quic_nakella@quicinc.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nasanex01b.na.qualcomm.com (10.46.141.250) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: -VyGg0WeKWlvwM2gc6S5Q2kflehvJ5_P X-Proofpoint-GUID: -VyGg0WeKWlvwM2gc6S5Q2kflehvJ5_P X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-21_05,2024-05-21_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 mlxscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 phishscore=0 priorityscore=1501 bulkscore=0 adultscore=0 mlxlogscore=999 malwarescore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2405010000 definitions=main-2405210067 hi Chris PeBenito, >> In that case, then a new interface with a more abstract name would be warranted. >As per your suggestion on patch v1 added new interface bluetooth_socket_connect, Could you please let us know alternate name if this is not appropriate. >> Yes, the point is that we probably need a bluetoothctl_t domain so the configuration can be done only via the bluetoothctl process, not just any initrc_t process. The existing bluetooth_helper_t domain may possibly be renamed/retrofitted for this purpose. >We tried adding bluetooth_helper_t domain for bluetoothctl using "/usr/bin/bluetoothctl -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)" but it was running in initrc_t context as shown when"ps -eZ | grep bluetoothctl" is run. Trying to check internally the cause of this issue, hence removed that change in the current patch. Could you help us with this issue if it is already known. On 5/21/2024 2:13 PM, Naga Bhavani Akella wrote: > Required for using acquire-notify, acquire-write options (Gatt Client) > and Sending notifications (Gatt Server) > > Below are the avc denials that are fixed with this patch - > > 1. audit: type=1400 audit(1651238006.276:496): > avc: denied { read write } for pid=2165 comm="bluetoothd" > path="socket:[43207]" dev="sockfs" ino=43207 > scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 > tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 > tclass=unix_stream_socket permissive=1 > 2. audit: type=1400 audit(1651238006.276:497): > avc: denied { getattr } for pid=2165 comm="bluetoothd" > path="socket:[43207]" dev="sockfs" ino=43207 > scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 > tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 > tclass=unix_stream_socket permissive=1 > 3. audit: type=1400 audit(1651238006.272:495): > avc: denied { read write } for pid=689 comm="dbus-daemon" > path="socket:[43207]" dev="sockfs" ino=43207 > scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 > tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 > tclass=unix_stream_socket permissive=1 > 4. audit: type=1400 audit(315966559.395:444): > avc: denied { use } for pid=710 comm="dbus-daemon" > path="socket:[13196]" dev="sockfs" ino=13196 > scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 > tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 > tclass=fd permissive=0 > 5. audit: type=1400 audit(315999854.939:523): > avc: denied { read write } for pid=812 comm="dbus-daemon" > path="socket:[99469]" dev="sockfs" ino=99469 > scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 > tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 > tclass=bluetooth_socket permissive=1 > > Signed-off-by: Naga Bhavani Akella > --- > policy/modules/apps/pulseaudio.te | 1 + > policy/modules/services/bluetooth.if | 22 ++++++++++++++++++++++ > policy/modules/services/dbus.te | 1 + > policy/modules/services/obex.te | 1 + > 4 files changed, 25 insertions(+) > > diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te > index 65b9a7428..9bf69bedc 100644 > --- a/policy/modules/apps/pulseaudio.te > +++ b/policy/modules/apps/pulseaudio.te > @@ -194,6 +194,7 @@ optional_policy(` > > optional_policy(` > bluetooth_stream_connect(pulseaudio_t) > + bluetooth_socket_connect(pulseaudio_t) > ') > > optional_policy(` > diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if > index c7e1c3f14..dd26d95f4 100644 > --- a/policy/modules/services/bluetooth.if > +++ b/policy/modules/services/bluetooth.if > @@ -85,6 +85,28 @@ interface(`bluetooth_stream_connect',` > stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t) > ') > > +##################################### > +## > +## Connect to bluetooth over a unix domain > +## stream socket. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`bluetooth_socket_connect',` > + gen_require(` > + type bluetooth_t, bluetooth_runtime_t; > + ') > + > + files_search_runtime($1) > + allow $1 bluetooth_t:bluetooth_socket rw_socket_perms; > + allow $1 bluetooth_t:unix_stream_socket { accept connectto listen rw_socket_perms }; > + allow $1 bluetooth_t:fd use; > +') > + > ######################################## > ## > ## Execute bluetooth in the bluetooth domain. > diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te > index 2d1d09d71..301c81aa5 100644 > --- a/policy/modules/services/dbus.te > +++ b/policy/modules/services/dbus.te > @@ -266,6 +266,7 @@ optional_policy(` > > optional_policy(` > bluetooth_stream_connect(system_dbusd_t) > + bluetooth_socket_connect(system_dbusd_t) > ') > > optional_policy(` > diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te > index 6686edb37..edbdc7ecf 100644 > --- a/policy/modules/services/obex.te > +++ b/policy/modules/services/obex.te > @@ -32,6 +32,7 @@ userdom_search_user_home_content(obex_t) > > optional_policy(` > bluetooth_stream_connect(obex_t) > + bluetooth_socket_connect(obex_t) > ') > > optional_policy(`