summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWootak Jung <wootak.jung@samsung.com>2018-08-27 11:06:12 +0900
committerWootak Jung <wootak.jung@samsung.com>2018-08-28 00:45:55 +0000
commit24953b69d833e21d3b98d6e390764e6fa92b72e0 (patch)
treeffe222db0a0a3d0eaa19b35cb0565eb8bfe1069c
parent4c7e37c59a6507e704432f91ee6f6a0f823d01c2 (diff)
downloadbluez-24953b69d833e21d3b98d6e390764e6fa92b72e0.tar.gz
bluez-24953b69d833e21d3b98d6e390764e6fa92b72e0.tar.bz2
bluez-24953b69d833e21d3b98d6e390764e6fa92b72e0.zip
Modify dbus policies based on default deny
- Remove receive_sender policies - Combine deny policies Change-Id: Ic3d691111443589b2896d5bbfde4eae328e996aa
-rwxr-xr-xsrc/bluetooth.conf57
1 files changed, 8 insertions, 49 deletions
diff --git a/src/bluetooth.conf b/src/bluetooth.conf
index 5dc191fd..57de1d21 100755
--- a/src/bluetooth.conf
+++ b/src/bluetooth.conf
@@ -1,95 +1,54 @@
-<!-- This configuration file specifies the required security policies
- for Bluetooth core daemon to work. -->
-
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
-
<!-- ../system.conf have denied everything, so we just punch some holes -->
-
<policy user="root">
<allow own="org.bluez.frwk_agent"/>
- <allow receive_sender="org.bluez.frwk_agent"/>
<allow send_destination="org.bluez.frwk_agent"/>
<allow own="org.bluez"/>
- <allow receive_sender="org.bluez"/>
<allow send_destination="org.bluez"/>
</policy>
-
<!-- allow users of bt_use group (Tizen BT group) to
communicate with bluetoothd -->
<policy group="bt_use">
- <allow receive_sender="org.bluez.frwk_agent"/>
<allow send_destination="org.bluez.frwk_agent"/>
- <allow receive_sender="org.bluez"/>
<allow send_destination="org.bluez"/>
</policy>
-
<!-- allow users of lp group (printing subsystem) to
communicate with bluetoothd -->
<policy group="lp">
- <allow receive_sender="org.bluez.frwk_agent"/>
<allow send_destination="org.bluez.frwk_agent"/>
- <allow receive_sender="org.bluez"/>
<allow send_destination="org.bluez"/>
</policy>
-
<policy group="network_fw">
<allow own="org.bluez.frwk_agent"/>
- <allow receive_sender="org.bluez.frwk_agent"/>
<allow send_destination="org.bluez.frwk_agent"/>
<allow own="org.bluez"/>
- <allow receive_sender="org.bluez"/>
<allow send_destination="org.bluez"/>
</policy>
-
<policy context="default">
+ <deny own="org.bluez"/>
+ <deny send_destination="org.bluez"/>
<deny own="org.bluez.frwk_agent"/>
- <allow receive_sender="org.bluez.frwk_agent"/>
- <deny send_destination="org.bluez" send_interface="org.bluez.frwk_agent"/>
- <deny own="org.bluez.Agent1"/>
- <allow receive_sender="org.bluez.Agent1"/>
- <deny send_destination="org.bluez" send_interface="org.bluez.Agent1"/>
- <deny own="org.bluez.Manager"/>
- <allow receive_sender="org.bluez.Manager"/>
- <deny send_destination="org.bluez" send_interface="org.bluez.Manager"/>
- <deny own="org.bluez.MediaEndpoint1"/>
- <allow receive_sender="org.bluez.MediaEndpoint1"/>
- <deny send_destination="org.bluez" send_interface="org.bluez.MediaEndpoint1"/>
- <deny own="org.bluez.MediaTransport1"/>
- <allow receive_sender="org.bluez.MediaTransport1"/>
- <deny send_destination="org.bluez" send_interface="org.bluez.MediaTransport1"/>
- <deny own="org.bluez.MediaPlayer1"/>
- <allow receive_sender="org.bluez.MediaPlayer1"/>
- <deny send_destination="org.bluez" send_interface="org.bluez.MediaPlayer1"/>
- <deny own="org.bluez.Profile1"/>
- <allow receive_sender="org.bluez.Profile1"/>
- <deny send_destination="org.bluez" send_interface="org.bluez.Profile1"/>
+ <deny send_destination="org.bluez.frwk_agent"/>
+
<allow send_destination="org.bluez" send_interface="org.freedesktop.DBus.Properties" send_member="Get"/>
<allow send_destination="org.bluez" send_interface="org.freedesktop.DBus.Properties" send_member="GetAll"/>
<allow send_destination="org.bluez" send_interface="org.freedesktop.DBus.ObjectManager" send_member="DefaultAdapter"/>
<allow send_destination="org.bluez" send_interface="org.freedesktop.DBus.ObjectManager" send_member="GetManagedObjects"/>
- <deny own="org.bluez.Adapter1"/>
- <allow receive_sender="org.bluez.Adapter1"/>
- <deny send_destination="org.bluez" send_interface="org.bluez.Adapter1"/>
+
<check send_destination="org.bluez" send_interface="org.bluez.Adapter1" send_member="CreateDevice" privilege="http://tizen.org/privilege/bluetooth"/>
- <deny own="org.bluez.Device1"/>
- <allow receive_sender="org.bluez.Device1"/>
- <deny send_destination="org.bluez" send_interface="org.bluez.Device1"/>
+
<allow send_destination="org.bluez" send_interface="org.bluez.Device1" send_member="DiscoverServices"/>
<check send_destination="org.bluez" send_interface="org.bluez.Device1" send_member="ConnectProfile" privilege="http://tizen.org/privilege/bluetooth"/>
<check send_destination="org.bluez" send_interface="org.bluez.Device1" send_member="DisconnectProfile" privilege="http://tizen.org/privilege/bluetooth"/>
<check send_destination="org.bluez" send_interface="org.bluez.Device1" send_member="DisconnectExtProfile" privilege="http://tizen.org/privilege/bluetooth"/>
<check send_destination="org.bluez" send_interface="org.bluez.Device1" send_member="CancelDiscovery" privilege="http://tizen.org/privilege/bluetooth"/>
- <deny own="org.bluez.GattManager1"/>
- <allow receive_sender="org.bluez.GattManager1"/>
- <deny send_destination="org.bluez" send_interface="org.bluez.GattManager1"/>
+
<allow send_destination="org.bluez" send_interface="org.bluez.GattManager1" send_member="GetService"/>
<check send_destination="org.bluez" send_interface="org.bluez.GattManager1" send_member="RegisterApplication" privilege="http://tizen.org/privilege/bluetooth"/>
<check send_destination="org.bluez" send_interface="org.bluez.GattManager1" send_member="UnregisterApplication" privilege="http://tizen.org/privilege/bluetooth"/>
- <deny own="org.bluez.ProfileManager1"/>
- <allow receive_sender="org.bluez.ProfileManager1"/>
- <deny send_destination="org.bluez" send_interface="org.bluez.ProfileManager1"/>
+
<check send_destination="org.bluez" send_interface="org.bluez.ProfileManager1" send_member="RegisterProfile" privilege="http://tizen.org/privilege/bluetooth"/>
<check send_destination="org.bluez" send_interface="org.bluez.ProfileManager1" send_member="RegisterProfile1" privilege="http://tizen.org/privilege/bluetooth.admin"/>
<check send_destination="org.bluez" send_interface="org.bluez.ProfileManager1" send_member="RegisterProfile2" privilege="http://tizen.org/privilege/bluetooth.admin"/>