Ok, I examined all the policy and created a very broad profile called "bluetooth": http://bazaar.launchpad.net/~ubuntu-security/apparmor- easyprof-ubuntu/trunk/view/head:/data/policygroups/ubuntu/1.3/bluetooth
This gives all access to bluez and is therefore reserved. I was able to successfully transfer a file to my laptop from the device using the shareapp from click #1. I was also able to run both the client and the server of click #2 without denials (but the apps couldn't communicate after connecting (unrelated to apparmor)). In addition, for future reference and so the investigation is not lost, I committed 'bluetooth-net' and 'bluetooth-file-transfer' in the 'pending/' directory: http://bazaar.launchpad.net/~ubuntu-security /apparmor-easyprof-ubuntu/trunk/files/head:/pending/policygroups/ This policy is not read for consumption-- we need trust-store integration in bluez for these to become 'common', but again, wanted to capture the work somewhere in case it is useful in the future. I'll work on getting these things landed in silos, etc next. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1569582 Title: Add Bluetooth apparmor policy Status in Canonical System Image: Confirmed Status in apparmor-easyprof-ubuntu package in Ubuntu: In Progress Bug description: I have created a content hub plugin that allows sending files via Bluetooth. At this point this only works when unconfined so here is a request to extend the apparmor policies to allow some things over Bluetooth. This plugin does a device discovery and then uses Bluez' obex client to transmit the file. When turning on apparmor on it, it first bails out with the messages below. However, once those are resolved, it'll probably want some more. I have attached the confined package to this bug so it can be easily tested. Please disregard the app in there completey and only evaluate the shareplugin in the package. After installing the click, open the gallery, share an image and select Bluetooth to start the process: [65927.602181] type=1107 audit(1460496066.496:2509): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65927.602199] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' [65927.607588] type=1107 audit(1460496066.506:2510): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.bluez.Manager" member="DefaultAdapter" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65927.607606] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' [65928.611714] type=1107 audit(1460496067.506:2511): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.bluez.Manager" member="DefaultAdapter" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65928.611733] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' [65929.615630] type=1107 audit(1460496068.516:2512): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.bluez.Manager" member="DefaultAdapter" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65929.615649] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' [65930.619178] type=1107 audit(1460496069.516:2513): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.bluez.Manager" member="DefaultAdapter" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65930.619197] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' [65931.622804] type=1107 audit(1460496070.516:2514): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.bluez.Manager" member="DefaultAdapter" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65931.622822] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' [65932.626550] type=1107 audit(1460496071.526:2515): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.bluez.Manager" member="DefaultAdapter" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65932.626569] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' [65933.630102] type=1107 audit(1460496072.526:2516): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.bluez.Manager" member="DefaultAdapter" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65933.630121] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' [65934.633739] type=1107 audit(1460496073.536:2517): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.bluez.Manager" member="DefaultAdapter" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65934.633758] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' [65935.636831] type=1107 audit(1460496074.536:2518): pid=891 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.bluez.Manager" member="DefaultAdapter" mask="send" name="org.bluez" pid=25873 label="ubtd.mzanetti_shareplugin_0.1" peer_pid=911 peer_label="unconfined" [65935.636850] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?' To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-devices-system-image/+bug/1569582/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
