Re: [PATCH BlueZ 0/3] Per-device option to enable/disable internal profiles

[Sonny Sasaka <sonnysasaka@chromium.org>]

Hi Luiz,

I considered having such an approach that gives exception to some
profile to not claim exclusive access. However, I think that this
approach has a drawback that it can only be guaranteed to work
correctly for profiles that contain only read-only attributes. Any
profile that contains writable attributes, naturally, cannot be
guaranteed to always work correctly (as is the case with the Battery
profile). Therefore, the usefulness of that feature will be very
limited.

I also considered the benefits of the AllowInternalProfiles approach:
* Applications can also have control over any profile, not just
Battery profile. For example, if in the future BlueZ has more internal
profiles, like (Blood Pressure Profile or any other profile that may
contain writable attributes), we can guarantee that applications can
still opt to have access to that profile, without relying on a profile
being "safe" to be shared by both BlueZ's internal and external
handlers.
* This has an added security benefit: applications which operate on a
specific GATT profile will not unintentionally activate internal
profiles such as HOG (which is able to hijack input control of the
host). This is the correct and expected behavior of Android apps that
connect over GATT and get access to a GATT profile.

Therefore I think that this approach, although more complex, has
longer lasting benefits. Let me know if you have any objection to
having such a feature.


On Mon, Jul 13, 2020 at 1:35 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> Hi Sonny,
>
> On Mon, Jul 13, 2020 at 1:18 PM Sonny Sasaka <sonnysasaka@chromium.org> wrote:
> >
> > This patch series adds a mechanism for clients to choose whether to
> > enable BlueZ internal profiles (e.g. A2DP, Battery) for specific
> > devices.
> >
> > The motivation behind this feature is that some applications (e.g. Web
> > Bluetooth or Android apps) need to have control over all remove GATT
> > services, like Battery service. With "battery" plugin being enabled on
> > BlueZ, it becomes not possible for those apps to work properly because
> > BlueZ "hides" the Battery-related attributes from its GATT Client API.
> > Disabling the "battery" plugin won't solve the problem either, since we
> > do also need to enable the plugin so that we can use org.bluez.Battery1
> > API.
> >
> > The solution that we propose is that clients can choose whether to
> > enable internal profiles for each device. Clients know when to enable
> > internal profiles (such as when a user chooses to pair/connect via a UI)
> > and when to disable internal profiles (such as when the connection is
> > initiated by a generic application).
>
> I wonder if it is not better to just have a flag indicating if the
> profile shall claim exclusive access (such as GAP and GATT services),
> so profiles that don't set that will have the services exposed so for
> battery we can probably just have it exposed by default since it
> doesn't appear to would be any conflicts on having it exposed.
>
> > Sonny Sasaka (3):
> >   doc: Add "AllowInternalProfiles" property to org.bluez.Device1
> >   device: Add "AllowInternalProfiles" property to org.bluez.Device1
> >   client: Add set-allow-internal-profiles command
> >
> >  client/main.c      | 38 ++++++++++++++++++
> >  doc/device-api.txt | 13 +++++++
> >  src/device.c       | 96 ++++++++++++++++++++++++++++++++++++++++++++++
> >  src/hcid.h         |  2 +
> >  src/main.c         | 10 +++++
> >  src/main.conf      |  4 ++
> >  6 files changed, 163 insertions(+)
> >
> > --
> > 2.26.2
> >
>
>
> --
> Luiz Augusto von Dentz