Closed
Bug 1228283
Opened 9 years ago
Closed 7 years ago
[bluetoothd][Permission] Adjusting the permissions on bluetoothd
Categories
(Firefox OS Graveyard :: Bluetooth, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: tt, Unassigned, Mentored)
References
Details
Attachments
(2 files)
It needs to create some device nodes while implementing the PAN profile on bluetoothd. It looks like we needs to require device permissions of /dev/tun and something else for creating them. Whether we should require the root permission for solving these kinds of problems?
|
||
Comment 1•9 years ago
|
||
I guess this is the relevant code:
http://androidxref.com/5.1.1_r6/xref/external/bluetooth/bluedroid/btif/src/btif_pan.c#422
|
|
||
Comment 2•9 years ago
|
||
Tom,
I got this URL from Shawn a while ago. Can you elaborate exactly which operation fails.
On my aries-l /dev/tun has permissions set to system:vpn 660. Does it help to add bluetoothd to vpn? This should allow for opening /dev/tun. It's not clear to me why an ioctl should fail with EPERM on an open file descriptor (except for additional MAC security checks).
|
|
||
Comment 3•9 years ago
|
||
Device creation fails in this ioctl call?
|
|
||
Comment 4•9 years ago
|
||
Looking through the TAP driver, my guess is that we need CAP_NET_ADMIN set on bluetoothd. [1]
[1] http://lxr.free-electrons.com/source/drivers/net/tun.c#L1655
|
|
||
Comment 5•9 years ago
|
||
Could adding bluetoothd to group 'net_admin' fix this?
|
|
||
Comment 6•9 years ago
|
||
(In reply to Thomas Zimmermann [:tzimmermann] [:tdz] from comment #4)
> Looking through the TAP driver, my guess is that we need CAP_NET_ADMIN set
> on bluetoothd. [1]
>
> [1] http://lxr.free-electrons.com/source/drivers/net/tun.c#L1655
Apparently, at some point |ns_capable| call invokes |cap_capable|, [1] which should return '0' (aka true in this case) [2] if the process is in group 'net_admin'. CONFIG_ANDROID_PARANOID_NETWORK is enabled by default in the kernel configuration.
Could someone please try this out?
[1] https://android.googlesource.com/kernel/goldfish/+/android-3.10/security/commoncap.c#80
[2] https://android.googlesource.com/kernel/goldfish/+/android-3.10/security/commoncap.c#88
|
Reporter | |
Comment 7•9 years ago
|
||
Thomas
Sorry for my late reply. In my test environment, 'net_admin' has already added in group in 'init.bluetooth.rc', but the problem is the dev/tun cannot be created. I added bluetoothd to group 'vpn' to create the dev/tun. However, another error happens [1] and the error message is "Bad file number". My guess is that the error happens while creating the socket. If we let the bluetoothd have the root permission, the problem is solved.
[1] http://androidxref.com/5.1.1_r6/xref/external/bluetooth/bluedroid/btif/src/btif_pan.c#317
|
|
Reporter | |
Comment 8•9 years ago
|
||
In currently setting (mc), the groups already added in bluetoothd are : system net_admin net_bt_stack bluetooth
When I tried to establish connection via my implementation of PAN profile, I got error message:
D/bt-btif ( 891): could not open /dev/tun, err:13
After adding 'vpn' group, I got another error message:
E/bt-btif ( 1886): Could not get network hardware for interface:bt-pan, errno:Bad file number
The connection was established successfully when I change the permission of the bluetoothd into 'root'.
(In reply to Thomas Zimmermann [:tzimmermann] [:tdz] from comment #2)
> Tom,
>
> I got this URL from Shawn a while ago. Can you elaborate exactly which
> operation fails.
>
> On my aries-l /dev/tun has permissions set to system:vpn 660. Does it help
> to add bluetoothd to vpn? This should allow for opening /dev/tun. It's not
> clear to me why an ioctl should fail with EPERM on an open file descriptor
> (except for additional MAC security checks).
|
|
||
Comment 9•9 years ago
|
||
Hi
> E/bt-btif ( 1886): Could not get network hardware for interface:bt-pan,
> errno:Bad file number
This happens at [1]. Could you please check the return value of the nearby call to |socket| and post the value and the respective errno value, if any. Thanks!
[1] http://androidxref.com/5.1.1_r6/xref/external/bluetooth/bluedroid/btif/src/btif_pan.c#317
|
|
Reporter | |
Comment 10•9 years ago
|
||
Hi Thomas
>
> This happens at [1]. Could you please check the return value of the nearby
> call to |socket| and post the value and the respective errno value, if any.
> Thanks!
I print out the return value and error message of |socket|, the debug message are:
sk:-1, errno:Permission denied
Thanks!
|
|
||
Comment 11•9 years ago
|
||
I forgot to ask, but could you attach the dmesg output? Maybe there's some additional information contained.
|
|
Reporter | |
Comment 12•9 years ago
|
||
The attachment(dmesg.log) is my dmesg output.
|
|
||
Comment 13•9 years ago
|
||
The only place I could find where |socket| does a permission check is in the SELinux code [1][2] called from [3].
Do you have any SELinux warnings in the logcat? Is the system running with SELinux enforcement?
[1] http://lxr.free-electrons.com/source/security/selinux/hooks.c#L4047
[2] http://lxr.free-electrons.com/source/security/selinux/hooks.c#L4066
[3] http://lxr.free-electrons.com/source/net/socket.c#L1094
|
|
||
Comment 14•9 years ago
|
||
(In reply to Tom Tung from comment #12)
> Created attachment 8692913 [details]
> dmesg.log
>
> The attachment(dmesg.log) is my dmesg output.
Not your system's dmesg, but the one from the B2G system :D.
Run the PAN code on the device, then enter
adb shell dmesg > dmesg.txt
dmesg.txt will contain B2G's dmesg.
|
|
Reporter | |
Comment 15•9 years ago
|
||
(In reply to Thomas Zimmermann [:tzimmermann] [:tdz] from comment #14)
> (In reply to Tom Tung from comment #12)
> > Created attachment 8692913 [details]
> > dmesg.log
> >
> > The attachment(dmesg.log) is my dmesg output.
>
> Not your system's dmesg, but the one from the B2G system :D.
>
> Run the PAN code on the device, then enter
>
> adb shell dmesg > dmesg.txt
>
> dmesg.txt will contain B2G's dmesg.
The attached file (dmesg.log) is the dmesg from my B2G system. XD
|
|
Reporter | |
Comment 16•9 years ago
|
||
Hi Thomas,
I think maybe there are some mistakes on my previous dmesg file, so I try to do it again. The attached file is the dmesg from my B2G system after running my PAN code and trying to connect my computer (Mac) via PAN profile.
Tom
|
|
Reporter | |
Comment 17•9 years ago
|
||
(In reply to Thomas Zimmermann [:tzimmermann] [:tdz] from comment #13)
> The only place I could find where |socket| does a permission check is in the
> SELinux code [1][2] called from [3].
>
> Do you have any SELinux warnings in the logcat? Is the system running with
> SELinux enforcement?
>
> [1] http://lxr.free-electrons.com/source/security/selinux/hooks.c#L4047
> [2] http://lxr.free-electrons.com/source/security/selinux/hooks.c#L4066
> [3] http://lxr.free-electrons.com/source/net/socket.c#L1094
Hi Thomas,
I search my logcat file with keywords like: "avc", ""uses obsolete" and "socket: no more sockets" (warning message from [1]). There is no any warning or error message with those words.
I cat the "/sys/fs/selinux/enforce" and the value is "1", so I think my B2G system is running with SELinux enforcement.
[1] http://lxr.free-electrons.com/source/net/socket.c#L1094
|
||
Comment 18•7 years ago
|
||
Firefox OS is not being worked on
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•