Details
-
Bug
-
Resolution: Fixed
-
Major
-
None
Description
*Jul 27 04:24:58 intel-corei7-64 audit[691]: AVC lsm=SMACK fn=smack_inode_permission action=denied subject="User::App::agl-service-bluetooth-map" object="System" requested=r pid=691 comm="afbd-agl-servic" name="obex-clientZS7H5Z" dev="tmpfs" ino=267825
Jul 27 04:24:58 intel-corei7-64 audit[691]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f7dd401e5e0 a2=0 a3=0 items=0 ppid=1 pid=691 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="afbd-agl-servic" exe="/usr/bin/afb-daemon" subj=User::App::agl-service-bluetooth-map key=(null)
Jul 27 04:24:58 intel-corei7-64 kernel: audit: type=1400 audit(1564201498.613:10): lsm=SMACK fn=smack_inode_permission action=denied subject="User::App::agl-service-bluetooth-map" object="System" requested=r pid=691 comm="afbd-agl-servic" name="obex-clientZS7H5Z" dev="tmpfs" ino=267825*
agl-service-bluetooth-pbap/map use obexd to get messages/phonebooks which it saves in a temp file which the binding then processes. Issue is obexd created files have the System label which services can't read.
So one possible solution is having another SMACK label like System::Obex but obexd is currently ran from a user systemd unit which doesn't have CAP_MAC_ADMIN.
Attachments
# | Subject | Branch | Project | Status | CR | V |
---|---|---|---|---|---|---|
22015,1 | binding: bluetooth-pbap: add check on file pointer | master | apps/agl-service-bluetooth-pbap | Status: MERGED | +2 | +1 |
22016,2 | binding: bluetooth-pbap: add check on file pointer | halibut | apps/agl-service-bluetooth-pbap | Status: MERGED | +2 | +1 |
22018,1 | Revert "binding: bluetooth-pbap: add scope-platform permission to config.xml.in" | master | apps/agl-service-bluetooth-pbap | Status: MERGED | +2 | +1 |
22019,2 | binding: pbap: move data transfer results to shared directory | master | apps/agl-service-bluetooth-pbap | Status: MERGED | +2 | +1 |
22020,3 | bluez5: add obex.service.d conf to fix smack label issues | master | AGL/meta-agl | Status: MERGED | +2 | +1 |
22021,1 | Revert "binding: bluetooth-map: add scope-platform permission to config.xml.in" | master | apps/agl-service-bluetooth-map | Status: MERGED | +2 | +1 |
22022,2 | binding: bluetooth-map: move data transfer results to shared directory | master | apps/agl-service-bluetooth-map | Status: MERGED | +2 | +1 |
22034,1 | binding: bluetooth-map: unlink files after data transfers | master | apps/agl-service-bluetooth-map | Status: MERGED | +2 | +1 |
22037,1 | bluez5: add obex.service.d conf to fix smack label issues | halibut | AGL/meta-agl | Status: MERGED | +2 | +1 |
22038,1 | Revert "binding: bluetooth-map: add scope-platform permission to config.xml.in" | halibut | apps/agl-service-bluetooth-map | Status: MERGED | +2 | +1 |
22039,1 | binding: bluetooth-map: move data transfer results to shared directory | halibut | apps/agl-service-bluetooth-map | Status: MERGED | +2 | +1 |
22040,1 | Revert "binding: bluetooth-pbap: add scope-platform permission to config.xml.in" | halibut | apps/agl-service-bluetooth-pbap | Status: MERGED | +2 | +1 |
22041,1 | binding: pbap: move data transfer results to shared directory | halibut | apps/agl-service-bluetooth-pbap | Status: MERGED | +2 | +1 |