linux-bluetooth.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Howard Chung <howardchung@google.com>
To: linux-bluetooth@vger.kernel.org, luiz.dentz@gmail.com
Cc: Yun-Hao Chung <howardchung@chromium.org>
Subject: [Bluez PATCH v4 04/13] core: block not allowed UUID connect in auth
Date: Thu, 29 Jul 2021 11:12:50 +0800	[thread overview]
Message-ID: <20210729110956.Bluez.v4.4.Ia4dc489979e4bf7ffa3421199b1b9fd8d7f00bbc@changeid> (raw)
In-Reply-To: <20210729031258.3391756-1-howardchung@google.com>

From: Yun-Hao Chung <howardchung@chromium.org>

This ensures any incoming profile connection will be blocked if its UUID
is not allowed by the following assumption:

1. Each system profile asks adapter authorization when seeing a incoming
   connection.
2. Each external profile checks if its UUID is allowed by adapter when
   seeing a incoming connection.
---
The following test steps were performed after enabling admin plugin:
1. Set ServiceAllowList to ["1234"].
2. Turn on a paired classic keyboard. Verify it can not be connected.
3. Set ServiceAllowList to
   ["1800","1801","180A","180F","1812"]
4. Turn off and turn on the keyboard. Verift it can be connected.

(no changes since v1)

 src/adapter.c |  5 +++++
 src/profile.c | 12 ++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/src/adapter.c b/src/adapter.c
index c7fe27d19a5d..6c8096147bdd 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -7118,6 +7118,11 @@ static gboolean process_auth_queue(gpointer user_data)
 		if (auth->svc_id > 0)
 			return FALSE;
 
+		if (!btd_adapter_is_uuid_allowed(adapter, auth->uuid)) {
+			auth->cb(&err, auth->user_data);
+			goto next;
+		}
+
 		if (device_is_trusted(device) == TRUE) {
 			auth->cb(NULL, auth->user_data);
 			goto next;
diff --git a/src/profile.c b/src/profile.c
index 60d17b6ae657..58500c74746d 100644
--- a/src/profile.c
+++ b/src/profile.c
@@ -1249,6 +1249,11 @@ static void ext_confirm(GIOChannel *io, gpointer user_data)
 
 	DBG("incoming connect from %s", addr);
 
+	if (btd_adapter_is_uuid_allowed(adapter_find(&src), uuid)) {
+		info("UUID %s is not allowed. Igoring the connection", uuid);
+		return;
+	}
+
 	conn = create_conn(server, io, &src, &dst);
 	if (conn == NULL)
 		return;
@@ -1272,6 +1277,7 @@ static void ext_direct_connect(GIOChannel *io, GError *err, gpointer user_data)
 	struct ext_profile *ext = server->ext;
 	GError *gerr = NULL;
 	struct ext_io *conn;
+	const char *uuid = ext->service ? ext->service : ext->uuid;
 	bdaddr_t src, dst;
 
 	bt_io_get(io, &gerr,
@@ -1285,6 +1291,12 @@ static void ext_direct_connect(GIOChannel *io, GError *err, gpointer user_data)
 		return;
 	}
 
+	if (btd_adapter_is_uuid_allowed(adapter_find(&src), ext->uuid)) {
+		info("UUID %s is not allowed. Igoring the connection",
+								ext->uuid);
+		return;
+	}
+
 	conn = create_conn(server, io, &src, &dst);
 	if (conn == NULL)
 		return;
-- 
2.32.0.554.ge1b32706d8-goog


  parent reply	other threads:[~2021-07-29  3:13 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-29  3:12 [Bluez PATCH v4 00/13] Admin policy series Howard Chung
2021-07-29  3:12 ` [Bluez PATCH v4 01/13] core: add is_allowed property in btd_service Howard Chung
2021-07-29  3:39   ` Admin policy series bluez.test.bot
2021-07-29  3:12 ` [Bluez PATCH v4 02/13] core: add adapter and device allowed_uuid functions Howard Chung
2021-07-29  3:12 ` [Bluez PATCH v4 03/13] mcap: add adapter authorization Howard Chung
2021-07-29  3:12 ` Howard Chung [this message]
2021-07-29  3:12 ` [Bluez PATCH v4 05/13] core: add device_added and device_removed to adapter driver Howard Chung
2021-07-29  3:12 ` [Bluez PATCH v4 06/13] plugins: new plugin Howard Chung
2021-07-29  3:12 ` [Bluez PATCH v4 07/13] plugins/admin: add admin_policy adapter driver Howard Chung
2021-07-29  3:12 ` [Bluez PATCH v4 08/13] plugins/admin: add ServiceAllowList method Howard Chung
2021-07-29  3:12 ` [Bluez PATCH v4 09/13] plugins/admin: add ServiceAllowList property Howard Chung
2021-07-29  3:12 ` [Bluez PATCH v4 10/13] plugins/admin: add device callbacks Howard Chung
2021-07-29  3:12 ` [Bluez PATCH v4 11/13] plugins/admin: add AffectedByPolicy property Howard Chung
2021-07-29  3:12 ` [Bluez PATCH v4 12/13] plugins/admin: persist policy settings Howard Chung
2021-07-29  3:12 ` [Bluez PATCH v4 13/13] doc: add description of admin policy Howard Chung

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210729110956.Bluez.v4.4.Ia4dc489979e4bf7ffa3421199b1b9fd8d7f00bbc@changeid \
    --to=howardchung@google.com \
    --cc=howardchung@chromium.org \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=luiz.dentz@gmail.com \
    --subject='Re: [Bluez PATCH v4 04/13] core: block not allowed UUID connect in auth' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).