BlueZ configuration file/security question

Havoc Pennington hp at redhat.com
Thu Nov 30 11:56:06 PST 2006 

Claudio Takahasi wrote:
> [Client]-------[hcid] -----> [ServiceAgent]
> 
> * Client: any application that wants use BlueZ services.
> 
> * hcid: main BlueZ daemon that manages local adapter setup tasks,
> remote device discover, authetication, ...
> 
> * ServiceAgent: applications that wants provide a Bluetooth service.
> eg: Audio, Network, Input, etc. ServiceAgents don't have a well-known
> names. THE PATH AND THE INTERFACE ARE FREELY DEFINABLE.
> 
> MY QUESTION IS:
> How we can AVOID send message directly to the ServiceAgent? (it is
> possible send a message directly to the ServiceAgent using the "unique
> connection name" and the right path)

This is all on the system bus, right? (on the session bus there's no 
point worrying about security in this way)

The issue is that to have a security policy that applies only to the 
ServiceAgents, you need some property unique to those agents. This could 
be the UNIX user or group, a well-known name, an object path or interface.

"man dbus-daemon" has docs on the security policies. One thing the docs 
should mention but don't (someone please fix this!) is that a 
send_destination or receive_sender rule applies to *any queued owner* of 
the well-known name, not just the current primary owner of it.

What this means is that you could have a well-known name 
org.bluez.ServiceAgent, and all service agents would ask to be in the 
queue for that name. Then the policy would be something like:

  <!-- deny sending to ServiceAgents or receiving from ServiceAgents -->
  <policy context="default">
    <deny send_destination="org.bluez.ServiceAgent"/>
    <deny receive_sender="org.bluez.ServiceAgent"/>
  </policy>
  <!-- allow some particular unix user to talk to service agents -->
  <policy user="bluezuser">
    <allow send_destination="org.bluez.ServiceAgent"/>
    <allow receive_sender="org.bluez.ServiceAgent"/>
  </policy>

I think that would work, though obviously it hinges on running hcid as a 
special user. Presumably you already have to do this in order to supply 
security policies for talking to hcid itself.

Another thing you could do is just don't use the bus for ServiceAgents, 
i.e. have them connect to the hcid directly.

Havoc

More information about the dbus mailing list