interfaces: bluez: allow file descriptors to be shared via dbus #12496
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The bluetooth stack implements a way to circumvent the bluez socket and instead communicate over DBus to share a file descriptor between two different process IDs. This apparmor rule allows such file descriptor exchanging to be allowed.
Signed-off-by: Dilyn Corner dilyn.corner@canonical.com
Rule was created by Tony Espy after some discussions with John Johansen.
Essentially, there are some useful rust bindings provided by bluer, a crate providing official rust bindings for bluez. It implements two methods which have the value-add of decreasing latency when interacting with devices connected over BLE. What this amounts to is directly passing a particular file descriptor from one process to another. The added rules should be scoped narrowly enough such that one would have the minimum permissions to communicate over the relevant socket.
I've tested this on a snap I have which hosts a GATT server to connect to some client device, and with this rule added the snap behaves as expected.