From: "Frédéric Danis" <frederic.danis@collabora.com>
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH BlueZ v2 0/8] plugin/admin: Make allowlist adapter-scoped and enforce at runtime
Date: Wed, 15 Jul 2026 11:01:58 +0200 [thread overview]
Message-ID: <20260715090206.212130-1-frederic.danis@collabora.com> (raw)
This series tightens AdminPolicy ServiceAllowList handling and makes
its behavior consistent across adapter selection, adapter profile
activation, local SDP service registration, and device service
allowance checks.
The first part removes global AdminPolicy state and makes policy
tracking per-adapter, which fixes D-Bus updates being emitted on the
wrong adapter and avoids cross-adapter coupling.
The second part updates bluetoothctl admin.allow to be adapter-aware:
it now accepts an optional [ctrl] argument and otherwise targets the
currently selected default adapter. Documentation is updated
accordingly.
The core functional change is runtime enforcement of ServiceAllowList
for local adapter/server services in addition to existing remote-device
policy checks. When policy changes, adapters immediately reapply
allowlist decisions by stopping/removing disallowed services and
starting newly allowed ones, without restarting bluetoothd.
While exercising this runtime path, a UAF was found in audio media app
teardown when endpoint/player objects were destroyed before proxy
removal. The series fixes object/queue lifetime ownership to prevent
stale pointer dereferences.
Finally, device-side allowlist checks are switched to the same
profile-aware policy mapping used by adapter-side logic, so cases such
as A2DP role inversion are handled consistently.
Summary of effects:
- AdminPolicy state is correctly scoped per adapter.
- admin.allow can target explicit adapter or the selected default.
- ServiceAllowList now governs both remote profiles and local
adapter/server services.
- Allowlist updates are enforced immediately on initialized adapters.
- Device and adapter policy decisions now use the same profile-aware
UUID mapping semantics.
- Audio media teardown no longer risks UAF during runtime service
reconfiguration.
v1->v2: Add new commit to fix outgoing connection by unifying device-side
filtering with adapter-side profile-aware allowlist mapping semantics.
Frédéric Danis (8):
plugins/admin: make AdminPolicy state per-adapter
client/bluetoothctl: make admin.allow controller-aware
doc: document admin.allow optional controller argument
src/adapter: enforce allowlist for local services
plugins/admin: reapply allowlist on policy updates
doc: describe admin allowlist runtime enforcement
profiles/audio: fix UAF on external media service teardown
device: apply profile-aware admin allowlist checks for device services
client/admin.c | 114 ++++++++++++++++++-----
client/admin.h | 4 +
client/main.c | 25 ++++-
doc/bluetoothctl-admin.rst | 13 ++-
doc/org.bluez.AdminPolicySet.rst | 12 +++
doc/org.bluez.AdminPolicyStatus.rst | 5 +
plugins/admin.c | 131 +++++++++++++++++++-------
profiles/audio/media.c | 16 ++++
src/adapter.c | 139 ++++++++++++++++++++++++++++
src/adapter.h | 4 +
src/device.c | 5 +-
11 files changed, 405 insertions(+), 63 deletions(-)
--
2.43.0
next reply other threads:[~2026-07-15 9:02 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-15 9:01 Frédéric Danis [this message]
2026-07-15 9:01 ` [PATCH BlueZ v2 1/8] plugins/admin: make AdminPolicy state per-adapter Frédéric Danis
2026-07-15 10:16 ` plugin/admin: Make allowlist adapter-scoped and enforce at runtime bluez.test.bot
2026-07-15 9:02 ` [PATCH BlueZ v2 2/8] client/bluetoothctl: make admin.allow controller-aware Frédéric Danis
2026-07-15 9:02 ` [PATCH BlueZ v2 3/8] doc: document admin.allow optional controller argument Frédéric Danis
2026-07-15 13:40 ` Luiz Augusto von Dentz
2026-07-15 15:59 ` Frédéric Danis
2026-07-15 9:02 ` [PATCH BlueZ v2 4/8] src/adapter: enforce allowlist for local services Frédéric Danis
2026-07-15 9:02 ` [PATCH BlueZ v2 5/8] plugins/admin: reapply allowlist on policy updates Frédéric Danis
2026-07-15 9:02 ` [PATCH BlueZ v2 6/8] doc: describe admin allowlist runtime enforcement Frédéric Danis
2026-07-15 9:02 ` [PATCH BlueZ v2 7/8] profiles/audio: fix UAF on external media service teardown Frédéric Danis
2026-07-15 13:42 ` Luiz Augusto von Dentz
2026-07-15 9:02 ` [PATCH BlueZ v2 8/8] device: apply profile-aware admin allowlist checks for device services Frédéric Danis
2026-07-15 17:00 ` [PATCH BlueZ v2 0/8] plugin/admin: Make allowlist adapter-scoped and enforce at runtime patchwork-bot+bluetooth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260715090206.212130-1-frederic.danis@collabora.com \
--to=frederic.danis@collabora.com \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox