All of lore.kernel.org
 help / color / mirror / Atom feed
From: Howard Chung <howardchung@google.com>
To: linux-bluetooth@vger.kernel.org, luiz.dentz@gmail.com
Cc: Yun-Hao Chung <howardchung@chromium.org>
Subject: [Bluez PATCH v3 04/13] core: block not allowed UUID connect in auth
Date: Wed, 28 Jul 2021 21:15:20 +0800	[thread overview]
Message-ID: <20210728211405.Bluez.v3.4.Ia4dc489979e4bf7ffa3421199b1b9fd8d7f00bbc@changeid> (raw)
In-Reply-To: <20210728131529.3310558-1-howardchung@google.com>

From: Yun-Hao Chung <howardchung@chromium.org>

This ensures any incoming profile connection will be blocked if its UUID
is not allowed by the following assumption:

1. Each system profile asks adapter authorization when seeing a incoming
   connection.
2. Each external profile checks if its UUID is allowed by adapter when
   seeing a incoming connection.
---
The following test steps were performed after enabling admin_policy
plugin:
1. Set ServiceAllowList to ["1234"].
2. Turn on a paired classic keyboard. Verify it can not be connected.
3. Set ServiceAllowList to
   ["1800","1801","180A","180F","1812"]
4. Turn off and turn on the keyboard. Verift it can be connected.

(no changes since v1)

 src/adapter.c |  5 +++++
 src/profile.c | 12 ++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/src/adapter.c b/src/adapter.c
index c7fe27d19..6c8096147 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -7118,6 +7118,11 @@ static gboolean process_auth_queue(gpointer user_data)
 		if (auth->svc_id > 0)
 			return FALSE;
 
+		if (!btd_adapter_is_uuid_allowed(adapter, auth->uuid)) {
+			auth->cb(&err, auth->user_data);
+			goto next;
+		}
+
 		if (device_is_trusted(device) == TRUE) {
 			auth->cb(NULL, auth->user_data);
 			goto next;
diff --git a/src/profile.c b/src/profile.c
index 60d17b6ae..58500c747 100644
--- a/src/profile.c
+++ b/src/profile.c
@@ -1249,6 +1249,11 @@ static void ext_confirm(GIOChannel *io, gpointer user_data)
 
 	DBG("incoming connect from %s", addr);
 
+	if (btd_adapter_is_uuid_allowed(adapter_find(&src), uuid)) {
+		info("UUID %s is not allowed. Igoring the connection", uuid);
+		return;
+	}
+
 	conn = create_conn(server, io, &src, &dst);
 	if (conn == NULL)
 		return;
@@ -1272,6 +1277,7 @@ static void ext_direct_connect(GIOChannel *io, GError *err, gpointer user_data)
 	struct ext_profile *ext = server->ext;
 	GError *gerr = NULL;
 	struct ext_io *conn;
+	const char *uuid = ext->service ? ext->service : ext->uuid;
 	bdaddr_t src, dst;
 
 	bt_io_get(io, &gerr,
@@ -1285,6 +1291,12 @@ static void ext_direct_connect(GIOChannel *io, GError *err, gpointer user_data)
 		return;
 	}
 
+	if (btd_adapter_is_uuid_allowed(adapter_find(&src), ext->uuid)) {
+		info("UUID %s is not allowed. Igoring the connection",
+								ext->uuid);
+		return;
+	}
+
 	conn = create_conn(server, io, &src, &dst);
 	if (conn == NULL)
 		return;
-- 
2.32.0.432.gabb21c7263-goog


  parent reply	other threads:[~2021-07-28 13:16 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-28 13:15 [Bluez PATCH v3 00/13] Admin policy series Howard Chung
2021-07-28 13:15 ` [Bluez PATCH v3 01/13] core: add is_allowed property in btd_service Howard Chung
2021-07-28 13:39   ` Admin policy series bluez.test.bot
2021-07-28 13:15 ` [Bluez PATCH v3 02/13] core: add adapter and device allowed_uuid functions Howard Chung
2021-07-28 13:15 ` [Bluez PATCH v3 03/13] mcap: add adapter authorization Howard Chung
2021-07-28 13:15 ` Howard Chung [this message]
2021-07-28 13:15 ` [Bluez PATCH v3 05/13] core: add device_added and device_removed to adapter driver Howard Chung
2021-07-28 13:15 ` [Bluez PATCH v3 06/13] plugins: new plugin Howard Chung
2021-07-28 13:15 ` [Bluez PATCH v3 07/13] plugins/admin_policy: add admin_policy adapter driver Howard Chung
2021-07-28 17:42   ` Luiz Augusto von Dentz
2021-07-28 13:15 ` [Bluez PATCH v3 08/13] plugins/admin_policy: add ServiceAllowList method Howard Chung
2021-07-28 13:15 ` [Bluez PATCH v3 09/13] plugins/admin_policy: add ServiceAllowList property Howard Chung
2021-07-28 13:15 ` [Bluez PATCH v3 10/13] plugins/admin_policy: add device callbacks Howard Chung
2021-07-28 13:15 ` [Bluez PATCH v3 11/13] plugins/admin_policy: add AffectedByPolicy property Howard Chung
2021-07-28 13:15 ` [Bluez PATCH v3 12/13] plugins/admin_policy: persist policy settings Howard Chung
2021-07-28 13:15 ` [Bluez PATCH v3 13/13] doc: add description of admin policy Howard Chung

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210728211405.Bluez.v3.4.Ia4dc489979e4bf7ffa3421199b1b9fd8d7f00bbc@changeid \
    --to=howardchung@google.com \
    --cc=howardchung@chromium.org \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=luiz.dentz@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.