Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

interfaces: bluez: allow file descriptors to be shared via dbus #12496

Merged
merged 1 commit into from Feb 6, 2023
Merged

interfaces: bluez: allow file descriptors to be shared via dbus #12496

merged 1 commit into from Feb 6, 2023

Conversation

dilyn-corner
Copy link
Contributor

The bluetooth stack implements a way to circumvent the bluez socket and instead communicate over DBus to share a file descriptor between two different process IDs. This apparmor rule allows such file descriptor exchanging to be allowed.

Signed-off-by: Dilyn Corner dilyn.corner@canonical.com

Rule was created by Tony Espy after some discussions with John Johansen.

Essentially, there are some useful rust bindings provided by bluer, a crate providing official rust bindings for bluez. It implements two methods which have the value-add of decreasing latency when interacting with devices connected over BLE. What this amounts to is directly passing a particular file descriptor from one process to another. The added rules should be scoped narrowly enough such that one would have the minimum permissions to communicate over the relevant socket.

I've tested this on a snap I have which hosts a GATT server to connect to some client device, and with this rule added the snap behaves as expected.

@dilyn-corner
interfaces: bluez: allow file descriptors to be shared via dbus
e423a24 
The bluetooth stack implements a way to circumvent the bluez socket and
instead communicate over DBus to share a file descriptor between two
different process IDs. This apparmor rule allows such file descriptor
exchanging to be allowed.

Signed-off-by: Dilyn Corner <dilyn.corner@canonical.com>
@pedronis pedronis added Security-High Needs security review Can only be merged once security gave a :+1: labels Jan 19, 2023
@mvo5 mvo5 added this to the 2.59 milestone Jan 20, 2023
alexmurray
alexmurray approved these changes Jan 23, 2023
View reviewed changes
Copy link
Collaborator

@alexmurray alexmurray left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@alexmurray alexmurray removed Security-High Needs security review Can only be merged once security gave a :+1: labels Jan 23, 2023
mvo5
mvo5 approved these changes Jan 24, 2023
View reviewed changes
Copy link
Contributor

@mvo5 mvo5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codewise this looks fine

@pedronis pedronis self-requested a review January 31, 2023 09:40
pedronis
pedronis approved these changes Feb 3, 2023
View reviewed changes
Copy link
Collaborator

@pedronis pedronis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@mvo5 mvo5 merged commit d2a9306 into snapcore:master Feb 6, 2023
@dilyn-corner dilyn-corner deleted the extend-bluez branch September 29, 2023 20:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexmurray alexmurray alexmurray approved these changes

@mvo5 mvo5 mvo5 approved these changes

@pedronis pedronis pedronis approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.59
4 participants
@dilyn-corner @alexmurray @mvo5 @pedronis