FYI, we decided on IRC that we would add a single reserved policy group for now, named 'bluetooth'. This will allow full access to bluez. This will be reserved in the first iteration because there are information leaks and the device can be placed into discovery mode. Other accesses were not investigated but are presumably present.
In the future, bluez will gain trust-store integration (with corresponding system settings updates) so that access to bluez can be safely granted to apps. We might leave 'bluetooth' as reserved and create new policy groups like bluetooth-file-transfer, bluetooth-input, etc. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1569582 Title: Add Bluetooth apparmor policy Status in Canonical System Image: Confirmed Status in apparmor-easyprof-ubuntu package in Ubuntu: Triaged Bug description: I have created a content hub plugin that allows sending files via Bluetooth. At this point this only works when unconfined so here is a request to extend the apparmor policies to allow some things over Bluetooth. This plugin does a device discovery and then uses Bluez' obex client to transmit the file. When turning on apparmor on it, it first bails out with the messages below. However, once those are resolved, it'll probably want some more. I have attached the confined package to this bug so it can be easily tested. Please disregard the app in there completey and only evaluate the shareplugin in the package. After installing the click, open the gallery, share an image and select Bluetooth to start the process: [65927.602181] type=1107 audit(1460496066.496:2509): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65927.602199] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' [65927.607588] type=1107 audit(1460496066.506:2510): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.bluez.Manager" member="DefaultAdapter" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65927.607606] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' [65928.611714] type=1107 audit(1460496067.506:2511): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.bluez.Manager" member="DefaultAdapter" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65928.611733] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' [65929.615630] type=1107 audit(1460496068.516:2512): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.bluez.Manager" member="DefaultAdapter" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65929.615649] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' [65930.619178] type=1107 audit(1460496069.516:2513): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.bluez.Manager" member="DefaultAdapter" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65930.619197] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' [65931.622804] type=1107 audit(1460496070.516:2514): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.bluez.Manager" member="DefaultAdapter" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65931.622822] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' [65932.626550] type=1107 audit(1460496071.526:2515): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.bluez.Manager" member="DefaultAdapter" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65932.626569] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' [65933.630102] type=1107 audit(1460496072.526:2516): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.bluez.Manager" member="DefaultAdapter" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65933.630121] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' [65934.633739] type=1107 audit(1460496073.536:2517): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.bluez.Manager" member="DefaultAdapter" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65934.633758] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' [65935.636831] type=1107 audit(1460496074.536:2518): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.bluez.Manager" member="DefaultAdapter" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65935.636850] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-devices-system-image/+bug/1569582/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
