You changed the copyright in bluetooth_control_test.go, but forgot to update it and bluetooth_control.go for /dev/vhci, which is included in the apparmor policy. Can you add that?
/dev/vhci is just a node that vhci driver created. I am not able to find it in udev database even if it exists. http://paste.ubuntu.com/25336192/
If we add udev rules, the devices we want to tag are the virtual devices.
`SUBSYSTEM=="bluetooth", KERNEL=="hci[0-9]*", TAG+="%s"
Yes, "%s" will be changed to ###CONNECTED_SECURITY_TAGS###
Oh that is interesting, but I really like your idea of SUBSYSTEM bluetooth. How about just treat this like raw-usb and do:
SUBSYSTEM=="bluetooth", TAG+="%s
The 'hci' devices are virtual devices and not yet mediated by AppArmor or devices that need to be added to the device cgroup. However, tagging all bluetooth devices helps future-proof a bit in case /dev/vhci ends up showing up in udev or other bluetooth devices show up in /dev.
Indeed, that looks way too broad. In fact, a bit too broad to be right. Not sure it makes sense to turn the "broadcoam-asic" interface in a sort of "read about every single PCI device in the system".
@jdstrand Note that we won't be able to change that in the future without the potential of breaking clients unknowingly.
I think it's related to hardware assignment. We have a bug on launchpad tracking on this. Not sure where are we with that. @jdstrand Could you share the updates and plan here?
Thanks
@niemeyer, @adglkh - they are necessarily broad because in PR review it was found there was nothing in the /sys/devices path alone that made it 'broadcom-asic'. I believe it is technically possible for snapd to interrogate the system via udev to get the precise /sys/devices and /run/udev/data paths for the device (see #1226 (comment) for back of the napkin idea), but this work is neither prioritized nor assigned. As a result, this interface along with existing opengl and camera interfaces use rules that are broader than they should be (but we comment in the policy in camera and opengl about the leak). While the accesses in question do constitute an information leak, they are not terribly significant (which is why the work is not prioritized/assigned) and in the 'future work' bucket.
I think the plan should be:
continue with the access as written since without it, things break
add a comment that this is an information leak (see opengl.go)
at some future time, implement the udev querying in snapd and have new interfaces in series 16 use this
in some future iteration of snappy which is generating different policy (eg, something not 'series 16'), migrate existing interfaces that use the broad globs to using only the outputs of udev querying
You changed the copyright in bluetooth_control_test.go, but forgot to update it and bluetooth_control.go for
/dev/vhci, which is included in the apparmor policy. Can you add that?