interfaces: bluez: allow file descriptors to be shared via dbus

The bluetooth stack implements a way to circumvent the bluez socket and instead communicate over DBus to share a file descriptor between two different process IDs. This apparmor rule allows such file descriptor exchanging to be allowed. Signed-off-by: Dilyn Corner <dilyn.corner@canonical.com>
snapcore · Feb 6, 2023 · d2a9306 · d2a9306
1 parent 6014c88
commit d2a9306
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/interfaces/builtin/bluez.go b/interfaces/builtin/bluez.go
@@ -147,6 +147,9 @@ const bluezConnectedSlotAppArmor = `
 dbus (receive, send)
     bus=system
     peer=(label=###PLUG_SECURITY_TAGS###),
+
+# Allow sharing file descriptors (via DBus)
+unix (send,receive) type="seqpacket" addr=none peer=(addr=none label=###PLUG_SECURITY_TAGS###),
 `
 
 const bluezConnectedPlugAppArmor = `
@@ -186,6 +189,9 @@ dbus (receive)
 
 # Allow access to bluetooth audio streams
 network bluetooth,
+
+# Allow use of shared (via DBus) file descriptors
+unix (send, receive) type="seqpacket" addr=none peer=(addr=none label=###SLOT_SECURITY_TAGS###),
 `
 
 const bluezPermanentSlotSecComp = `