From: "Frédéric Danis" <frederic.danis@collabora.com>
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH BlueZ 4/7] src/adapter: enforce allowlist for local services
Date: Thu, 2 Jul 2026 10:36:38 +0200 [thread overview]
Message-ID: <20260702083641.378994-4-frederic.danis@collabora.com> (raw)
In-Reply-To: <20260702083641.378994-1-frederic.danis@collabora.com>
Apply admin allowlist to adapter/server service startup and
registration, and reapply policy dynamically when allowlist changes.
- Gate adapter profile probe by allowlist-derived UUID policy
- Reapply active adapter profiles on allowlist updates (stop
disallowed, start newly allowed)
- Block SDP service registration when UUID is not allowed
- Reapply existing local SDP registrations at runtime by removing
services that become disallowed
Assisted-by: GPT:GPT-5.3-Codex
---
src/adapter.c | 139 ++++++++++++++++++++++++++++++++++++++++++++++++++
src/adapter.h | 1 +
2 files changed, 140 insertions(+)
diff --git a/src/adapter.c b/src/adapter.c
index 538f63e0a..5a293b3f3 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -1346,6 +1346,7 @@ done:
int adapter_service_add(struct btd_adapter *adapter, sdp_record_t *rec)
{
+ char *svc_uuid;
int ret;
/*
@@ -1357,6 +1358,18 @@ int adapter_service_add(struct btd_adapter *adapter, sdp_record_t *rec)
DBG("%s", adapter->path);
+ svc_uuid = bt_uuid2string(&rec->svclass);
+ if (!svc_uuid)
+ return -ENOMEM;
+
+ if (!btd_adapter_is_uuid_allowed(adapter, svc_uuid)) {
+ DBG("Service %s blocked by admin allowlist", svc_uuid);
+ free(svc_uuid);
+ return -EPERM;
+ }
+
+ free(svc_uuid);
+
ret = add_record_to_server(&adapter->bdaddr, rec);
if (ret < 0)
return ret;
@@ -5201,6 +5214,70 @@ static void load_drivers(struct btd_adapter *adapter)
probe_driver(adapter, l->data);
}
+struct profile_allowlist_map {
+ const char *name;
+ const char *uuid;
+ bool use_remote_uuid;
+};
+
+/*
+ * Adapter server policy UUID defaults to local_uuid when available.
+ * Profiles listed below are exceptions where adapter-side server behavior
+ * needs a different UUID source (e.g. A2DP source/sink role inversion) or
+ * where server policy is derived from the profile remote_uuid.
+ */
+static const struct profile_allowlist_map profile_allowlist_map[] = {
+ { "a2dp-source", A2DP_SINK_UUID, false },
+ { "a2dp-sink", A2DP_SOURCE_UUID, false },
+ { "audio-avrcp-target", NULL, true },
+ { "avrcp-controller", NULL, true },
+ { "vcp", NULL, true },
+ { "micp", NULL, true },
+ { "ccp", NULL, true },
+ { "gmap", NULL, true },
+ { "tmap", NULL, true },
+ { "bass", NULL, true },
+ { "bap", NULL, true },
+ { "mcp-gmcs", NULL, true },
+};
+
+static const char *profile_allowlist_uuid(const struct btd_profile *profile)
+{
+ size_t i;
+
+ if (profile->local_uuid)
+ return profile->local_uuid;
+
+ if (!profile->name)
+ return NULL;
+
+ for (i = 0; i < ARRAY_SIZE(profile_allowlist_map); i++) {
+ const struct profile_allowlist_map *entry =
+ &profile_allowlist_map[i];
+
+ if (strcmp(profile->name, entry->name))
+ continue;
+
+ if (entry->use_remote_uuid)
+ return profile->remote_uuid;
+
+ return entry->uuid;
+ }
+
+ return NULL;
+}
+
+static bool adapter_profile_is_allowed(struct btd_adapter *adapter,
+ const struct btd_profile *profile)
+{
+ const char *uuid = profile_allowlist_uuid(profile);
+
+ if (!uuid)
+ return true;
+
+ return btd_adapter_is_uuid_allowed(adapter, uuid);
+}
+
static void probe_profile(struct btd_profile *profile, void *data)
{
struct btd_adapter *adapter = data;
@@ -5209,6 +5286,11 @@ static void probe_profile(struct btd_profile *profile, void *data)
if (profile->adapter_probe == NULL)
return;
+ if (!adapter_profile_is_allowed(adapter, profile)) {
+ DBG("%s blocked by admin allowlist", profile->name);
+ return;
+ }
+
err = profile->adapter_probe(profile, adapter);
if (err < 0) {
btd_error(adapter->dev_id, "%s: %s (%d)", profile->name,
@@ -5219,6 +5301,63 @@ static void probe_profile(struct btd_profile *profile, void *data)
adapter->profiles = g_slist_prepend(adapter->profiles, profile);
}
+static void reapply_profile(struct btd_profile *profile, void *data)
+{
+ struct btd_adapter *adapter = data;
+ bool active;
+
+ if (profile->adapter_probe == NULL)
+ return;
+
+ active = g_slist_find(adapter->profiles, profile) != NULL;
+
+ if (adapter_profile_is_allowed(adapter, profile)) {
+ if (!active)
+ probe_profile(profile, adapter);
+ return;
+ }
+
+ if (!active)
+ return;
+
+ adapter->profiles = g_slist_remove(adapter->profiles, profile);
+
+ if (profile->adapter_remove)
+ profile->adapter_remove(profile, adapter);
+}
+
+static void reapply_adapter_services(struct btd_adapter *adapter)
+{
+ sdp_list_t *l;
+
+ for (l = adapter->services; l != NULL;) {
+ sdp_list_t *next = l->next;
+ sdp_record_t *rec = l->data;
+ char *svc_uuid;
+
+ svc_uuid = bt_uuid2string(&rec->svclass);
+ if (!svc_uuid) {
+ l = next;
+ continue;
+ }
+
+ if (!btd_adapter_is_uuid_allowed(adapter, svc_uuid))
+ adapter_service_remove(adapter, rec->handle);
+
+ free(svc_uuid);
+ l = next;
+ }
+}
+
+void btd_adapter_reapply_allowed_uuids(struct btd_adapter *adapter)
+{
+ if (!adapter || !adapter->initialized)
+ return;
+
+ btd_profile_foreach(reapply_profile, adapter);
+ reapply_adapter_services(adapter);
+}
+
void adapter_add_profile(struct btd_adapter *adapter, gpointer p)
{
struct btd_profile *profile = p;
diff --git a/src/adapter.h b/src/adapter.h
index 4e07f71ad..cec528c56 100644
--- a/src/adapter.h
+++ b/src/adapter.h
@@ -295,6 +295,7 @@ bool btd_adapter_set_allowed_uuids(struct btd_adapter *adapter,
struct queue *uuids);
bool btd_adapter_is_uuid_allowed(struct btd_adapter *adapter,
const char *uuid_str);
+void btd_adapter_reapply_allowed_uuids(struct btd_adapter *adapter);
void btd_adapter_load_conn_param(struct btd_adapter *adapter,
const bdaddr_t *peer, uint8_t bdaddr_type,
--
2.43.0
next prev parent reply other threads:[~2026-07-02 8:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 8:36 [PATCH BlueZ 1/7] plugins/admin: make AdminPolicy state per-adapter Frédéric Danis
2026-07-02 8:36 ` [PATCH BlueZ 2/7] client/bluetoothctl: make admin.allow controller-aware Frédéric Danis
2026-07-02 8:36 ` [PATCH BlueZ 3/7] doc: document admin.allow optional controller argument Frédéric Danis
2026-07-02 8:36 ` Frédéric Danis [this message]
2026-07-02 8:36 ` [PATCH BlueZ 5/7] plugins/admin: reapply allowlist on policy updates Frédéric Danis
2026-07-02 8:36 ` [PATCH BlueZ 6/7] doc: describe admin allowlist runtime enforcement Frédéric Danis
2026-07-02 8:36 ` [PATCH BlueZ 7/7] profiles/audio: fix UAF on external media service teardown Frédéric Danis
2026-07-02 11:57 ` [BlueZ,1/7] plugins/admin: make AdminPolicy state per-adapter bluez.test.bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702083641.378994-4-frederic.danis@collabora.com \
--to=frederic.danis@collabora.com \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox