diff options
author | Wootak Jung <wootak.jung@samsung.com> | 2018-08-27 11:06:12 +0900 |
---|---|---|
committer | Wootak Jung <wootak.jung@samsung.com> | 2018-08-28 00:45:55 +0000 |
commit | 24953b69d833e21d3b98d6e390764e6fa92b72e0 (patch) | |
tree | ffe222db0a0a3d0eaa19b35cb0565eb8bfe1069c | |
parent | 4c7e37c59a6507e704432f91ee6f6a0f823d01c2 (diff) | |
download | bluez-24953b69d833e21d3b98d6e390764e6fa92b72e0.tar.gz bluez-24953b69d833e21d3b98d6e390764e6fa92b72e0.tar.bz2 bluez-24953b69d833e21d3b98d6e390764e6fa92b72e0.zip |
Modify dbus policies based on default deny
- Remove receive_sender policies
- Combine deny policies
Change-Id: Ic3d691111443589b2896d5bbfde4eae328e996aa
-rwxr-xr-x | src/bluetooth.conf | 57 |
1 files changed, 8 insertions, 49 deletions
diff --git a/src/bluetooth.conf b/src/bluetooth.conf index 5dc191fd..57de1d21 100755 --- a/src/bluetooth.conf +++ b/src/bluetooth.conf @@ -1,95 +1,54 @@ -<!-- This configuration file specifies the required security policies - for Bluetooth core daemon to work. --> - <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> - <!-- ../system.conf have denied everything, so we just punch some holes --> - <policy user="root"> <allow own="org.bluez.frwk_agent"/> - <allow receive_sender="org.bluez.frwk_agent"/> <allow send_destination="org.bluez.frwk_agent"/> <allow own="org.bluez"/> - <allow receive_sender="org.bluez"/> <allow send_destination="org.bluez"/> </policy> - <!-- allow users of bt_use group (Tizen BT group) to communicate with bluetoothd --> <policy group="bt_use"> - <allow receive_sender="org.bluez.frwk_agent"/> <allow send_destination="org.bluez.frwk_agent"/> - <allow receive_sender="org.bluez"/> <allow send_destination="org.bluez"/> </policy> - <!-- allow users of lp group (printing subsystem) to communicate with bluetoothd --> <policy group="lp"> - <allow receive_sender="org.bluez.frwk_agent"/> <allow send_destination="org.bluez.frwk_agent"/> - <allow receive_sender="org.bluez"/> <allow send_destination="org.bluez"/> </policy> - <policy group="network_fw"> <allow own="org.bluez.frwk_agent"/> - <allow receive_sender="org.bluez.frwk_agent"/> <allow send_destination="org.bluez.frwk_agent"/> <allow own="org.bluez"/> - <allow receive_sender="org.bluez"/> <allow send_destination="org.bluez"/> </policy> - <policy context="default"> + <deny own="org.bluez"/> + <deny send_destination="org.bluez"/> <deny own="org.bluez.frwk_agent"/> - <allow receive_sender="org.bluez.frwk_agent"/> - <deny send_destination="org.bluez" send_interface="org.bluez.frwk_agent"/> - <deny own="org.bluez.Agent1"/> - <allow receive_sender="org.bluez.Agent1"/> - <deny send_destination="org.bluez" send_interface="org.bluez.Agent1"/> - <deny own="org.bluez.Manager"/> - <allow receive_sender="org.bluez.Manager"/> - <deny send_destination="org.bluez" send_interface="org.bluez.Manager"/> - <deny own="org.bluez.MediaEndpoint1"/> - <allow receive_sender="org.bluez.MediaEndpoint1"/> - <deny send_destination="org.bluez" send_interface="org.bluez.MediaEndpoint1"/> - <deny own="org.bluez.MediaTransport1"/> - <allow receive_sender="org.bluez.MediaTransport1"/> - <deny send_destination="org.bluez" send_interface="org.bluez.MediaTransport1"/> - <deny own="org.bluez.MediaPlayer1"/> - <allow receive_sender="org.bluez.MediaPlayer1"/> - <deny send_destination="org.bluez" send_interface="org.bluez.MediaPlayer1"/> - <deny own="org.bluez.Profile1"/> - <allow receive_sender="org.bluez.Profile1"/> - <deny send_destination="org.bluez" send_interface="org.bluez.Profile1"/> + <deny send_destination="org.bluez.frwk_agent"/> + <allow send_destination="org.bluez" send_interface="org.freedesktop.DBus.Properties" send_member="Get"/> <allow send_destination="org.bluez" send_interface="org.freedesktop.DBus.Properties" send_member="GetAll"/> <allow send_destination="org.bluez" send_interface="org.freedesktop.DBus.ObjectManager" send_member="DefaultAdapter"/> <allow send_destination="org.bluez" send_interface="org.freedesktop.DBus.ObjectManager" send_member="GetManagedObjects"/> - <deny own="org.bluez.Adapter1"/> - <allow receive_sender="org.bluez.Adapter1"/> - <deny send_destination="org.bluez" send_interface="org.bluez.Adapter1"/> + <check send_destination="org.bluez" send_interface="org.bluez.Adapter1" send_member="CreateDevice" privilege="http://tizen.org/privilege/bluetooth"/> - <deny own="org.bluez.Device1"/> - <allow receive_sender="org.bluez.Device1"/> - <deny send_destination="org.bluez" send_interface="org.bluez.Device1"/> + <allow send_destination="org.bluez" send_interface="org.bluez.Device1" send_member="DiscoverServices"/> <check send_destination="org.bluez" send_interface="org.bluez.Device1" send_member="ConnectProfile" privilege="http://tizen.org/privilege/bluetooth"/> <check send_destination="org.bluez" send_interface="org.bluez.Device1" send_member="DisconnectProfile" privilege="http://tizen.org/privilege/bluetooth"/> <check send_destination="org.bluez" send_interface="org.bluez.Device1" send_member="DisconnectExtProfile" privilege="http://tizen.org/privilege/bluetooth"/> <check send_destination="org.bluez" send_interface="org.bluez.Device1" send_member="CancelDiscovery" privilege="http://tizen.org/privilege/bluetooth"/> - <deny own="org.bluez.GattManager1"/> - <allow receive_sender="org.bluez.GattManager1"/> - <deny send_destination="org.bluez" send_interface="org.bluez.GattManager1"/> + <allow send_destination="org.bluez" send_interface="org.bluez.GattManager1" send_member="GetService"/> <check send_destination="org.bluez" send_interface="org.bluez.GattManager1" send_member="RegisterApplication" privilege="http://tizen.org/privilege/bluetooth"/> <check send_destination="org.bluez" send_interface="org.bluez.GattManager1" send_member="UnregisterApplication" privilege="http://tizen.org/privilege/bluetooth"/> - <deny own="org.bluez.ProfileManager1"/> - <allow receive_sender="org.bluez.ProfileManager1"/> - <deny send_destination="org.bluez" send_interface="org.bluez.ProfileManager1"/> + <check send_destination="org.bluez" send_interface="org.bluez.ProfileManager1" send_member="RegisterProfile" privilege="http://tizen.org/privilege/bluetooth"/> <check send_destination="org.bluez" send_interface="org.bluez.ProfileManager1" send_member="RegisterProfile1" privilege="http://tizen.org/privilege/bluetooth.admin"/> <check send_destination="org.bluez" send_interface="org.bluez.ProfileManager1" send_member="RegisterProfile2" privilege="http://tizen.org/privilege/bluetooth.admin"/> |