[PATCH BlueZ] Leave config files writable for owner

[PATCH BlueZ] Leave config files writable for owner

[Fiona Klute]

This is needed both so the owner can adjust config as needed, and for
distribution builds to be able to move/delete files as part of the
build without adjusting permissions themselves. Limiting writes from
the running service needs to be done in the systemd unit (already the
case) or init script.

See also: https://lore.kernel.org/linux-bluetooth/4d1206df-598b-4a68-8655-74981b62ecca@gmx.de/T/
---
 Makefile.am | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index 297d0774c..29018a91c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -32,7 +32,7 @@ confdir = $(sysconfdir)/bluetooth
 statedir = $(localstatedir)/lib/bluetooth
 
 bluetoothd-fix-permissions:
-	install -dm555 $(DESTDIR)$(confdir)
+	install -dm755 $(DESTDIR)$(confdir)
 	install -dm700 $(DESTDIR)$(statedir)
 
 if DATAFILES
-- 
2.45.2

RE: [BlueZ] Leave config files writable for owner

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1260 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=914938

---Test result---

Test Summary:
CheckPatch                    PENDING   0.21 seconds
GitLint                       PENDING   0.37 seconds
BuildEll                      PASS      20.36 seconds
BluezMake                     PASS      1575.41 seconds
MakeCheck                     PASS      13.16 seconds
MakeDistcheck                 PASS      157.64 seconds
CheckValgrind                 PASS      212.99 seconds
CheckSmatch                   PASS      270.97 seconds
bluezmakeextell               PASS      98.39 seconds
IncrementalBuild              PENDING   0.30 seconds
ScanBuild                     PASS      835.62 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth

Re: [PATCH BlueZ] Leave config files writable for owner

[Luiz Augusto von Dentz]

Hi Bastian, Emil,

On Thu, Dec 5, 2024 at 8:35 AM Fiona Klute <fiona.klute@gmx.de> wrote:
>
> This is needed both so the owner can adjust config as needed, and for
> distribution builds to be able to move/delete files as part of the
> build without adjusting permissions themselves. Limiting writes from
> the running service needs to be done in the systemd unit (already the
> case) or init script.
>
> See also: https://lore.kernel.org/linux-bluetooth/4d1206df-598b-4a68-8655-74981b62ecca@gmx.de/T/
> ---
>  Makefile.am | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/Makefile.am b/Makefile.am
> index 297d0774c..29018a91c 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -32,7 +32,7 @@ confdir = $(sysconfdir)/bluetooth
>  statedir = $(localstatedir)/lib/bluetooth
>
>  bluetoothd-fix-permissions:
> -       install -dm555 $(DESTDIR)$(confdir)
> +       install -dm755 $(DESTDIR)$(confdir)
>         install -dm700 $(DESTDIR)$(statedir)
>
>  if DATAFILES
> --
> 2.45.2

Any comments regarding these changes, shall we also use 0755 in the
systemd service?

-- 
Luiz Augusto von Dentz

Re: [PATCH BlueZ] Leave config files writable for owner

[Bastien Nocera]

On Thu, 2024-12-05 at 10:00 -0500, Luiz Augusto von Dentz wrote:
> Hi Bastian, Emil,
> 
> On Thu, Dec 5, 2024 at 8:35 AM Fiona Klute <fiona.klute@gmx.de>
> wrote:
> > 
> > This is needed both so the owner can adjust config as needed, and
> > for
> > distribution builds to be able to move/delete files as part of the
> > build without adjusting permissions themselves. Limiting writes
> > from
> > the running service needs to be done in the systemd unit (already
> > the
> > case) or init script.
> > 
> > See also:
> > https://lore.kernel.org/linux-bluetooth/4d1206df-598b-4a68-8655-74981b62ecca@gmx.de/T/
> > ---
> >  Makefile.am | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/Makefile.am b/Makefile.am
> > index 297d0774c..29018a91c 100644
> > --- a/Makefile.am
> > +++ b/Makefile.am
> > @@ -32,7 +32,7 @@ confdir = $(sysconfdir)/bluetooth
> >  statedir = $(localstatedir)/lib/bluetooth
> > 
> >  bluetoothd-fix-permissions:
> > -       install -dm555 $(DESTDIR)$(confdir)
> > +       install -dm755 $(DESTDIR)$(confdir)
> >         install -dm700 $(DESTDIR)$(statedir)
> > 
> >  if DATAFILES
> > --
> > 2.45.2
> 
> Any comments regarding these changes, shall we also use 0755 in the
> systemd service?

That's fine, although the changes are really academic, as root/the
owner can write and move those files just fine, even without explicit
write permissions.

The point made about the stopping the running daemon from writing to
/etc is on point though, which could be fixed by something like:
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index 8ebe89bec682..ddaa9d444eed 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -15,7 +15,7 @@ LimitNPROC=1
 
 # Filesystem lockdown
 ProtectHome=true
-ProtectSystem=strict
+ProtectSystem=full
 PrivateTmp=true
 ProtectKernelTunables=true
 ProtectControlGroups=true

See
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectSystem=

Cheers

Re: [PATCH BlueZ] Leave config files writable for owner

[Fiona Klute]

Am 06.12.24 um 10:46 schrieb Bastien Nocera:
> On Thu, 2024-12-05 at 10:00 -0500, Luiz Augusto von Dentz wrote:
>> Hi Bastian, Emil,
>>
>> On Thu, Dec 5, 2024 at 8:35 AM Fiona Klute <fiona.klute@gmx.de>
>> wrote:
>>>
>>> This is needed both so the owner can adjust config as needed, and
>>> for
>>> distribution builds to be able to move/delete files as part of the
>>> build without adjusting permissions themselves. Limiting writes
>>> from
>>> the running service needs to be done in the systemd unit (already
>>> the
>>> case) or init script.
>>>
>>> See also:
>>> https://lore.kernel.org/linux-bluetooth/4d1206df-598b-4a68-8655-74981b62ecca@gmx.de/T/
>>> ---
>>>   Makefile.am | 2 +-
>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/Makefile.am b/Makefile.am
>>> index 297d0774c..29018a91c 100644
>>> --- a/Makefile.am
>>> +++ b/Makefile.am
>>> @@ -32,7 +32,7 @@ confdir = $(sysconfdir)/bluetooth
>>>   statedir = $(localstatedir)/lib/bluetooth
>>>
>>>   bluetoothd-fix-permissions:
>>> -       install -dm555 $(DESTDIR)$(confdir)
>>> +       install -dm755 $(DESTDIR)$(confdir)
>>>          install -dm700 $(DESTDIR)$(statedir)
>>>
>>>   if DATAFILES
>>> --
>>> 2.45.2
>>
>> Any comments regarding these changes, shall we also use 0755 in the
>> systemd service?
>
> That's fine, although the changes are really academic, as root/the
> owner can write and move those files just fine, even without explicit
> write permissions.

With chmod, yes. A build process that expects created directories to be
writable for the user running the build fails. Sure, it'd be possible to
add a workaround, but it's better to fix the issue at the source.

> The point made about the stopping the running daemon from writing to
> /etc is on point though, which could be fixed by something like:
> diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
> index 8ebe89bec682..ddaa9d444eed 100644
> --- a/src/bluetooth.service.in
> +++ b/src/bluetooth.service.in
> @@ -15,7 +15,7 @@ LimitNPROC=1
>
>   # Filesystem lockdown
>   ProtectHome=true
> -ProtectSystem=strict
> +ProtectSystem=full
>   PrivateTmp=true
>   ProtectKernelTunables=true
>   ProtectControlGroups=true
>
> See
> https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectSystem=
As I understand the documentation there "strict" implies "full":

> If true, mounts the /usr/ and the boot loader directories (/boot
> and /efi) read-only for processes invoked by this unit. If set to
> "full", the /etc/ directory is mounted read-only, too. If set to
> "strict" the entire file system hierarchy is mounted read-only,
> except for the API file system subtrees /dev/, /proc/ and /sys/
> (protect these directories using PrivateDevices=,
> ProtectKernelTunables=, ProtectControlGroups=).

So switching from strict to full would actually weaken protection,
though /etc should be read-only either way.

Best regard,
Fiona

Re: [PATCH BlueZ] Leave config files writable for owner

[Bastien Nocera]

On Fri, 2024-12-06 at 12:53 +0100, Fiona Klute wrote:
> Am 06.12.24 um 10:46 schrieb Bastien Nocera:
> > On Thu, 2024-12-05 at 10:00 -0500, Luiz Augusto von Dentz wrote:
> > > Hi Bastian, Emil,
> > > 
> > > On Thu, Dec 5, 2024 at 8:35 AM Fiona Klute <fiona.klute@gmx.de>
> > > wrote:
> > > > 
> > > > This is needed both so the owner can adjust config as needed,
> > > > and
> > > > for
> > > > distribution builds to be able to move/delete files as part of
> > > > the
> > > > build without adjusting permissions themselves. Limiting writes
> > > > from
> > > > the running service needs to be done in the systemd unit
> > > > (already
> > > > the
> > > > case) or init script.
> > > > 
> > > > See also:
> > > > https://lore.kernel.org/linux-bluetooth/4d1206df-598b-4a68-8655-74981b62ecca@gmx.de/T/
> > > > ---
> > > >   Makefile.am | 2 +-
> > > >   1 file changed, 1 insertion(+), 1 deletion(-)
> > > > 
> > > > diff --git a/Makefile.am b/Makefile.am
> > > > index 297d0774c..29018a91c 100644
> > > > --- a/Makefile.am
> > > > +++ b/Makefile.am
> > > > @@ -32,7 +32,7 @@ confdir = $(sysconfdir)/bluetooth
> > > >   statedir = $(localstatedir)/lib/bluetooth
> > > > 
> > > >   bluetoothd-fix-permissions:
> > > > -       install -dm555 $(DESTDIR)$(confdir)
> > > > +       install -dm755 $(DESTDIR)$(confdir)
> > > >          install -dm700 $(DESTDIR)$(statedir)
> > > > 
> > > >   if DATAFILES
> > > > --
> > > > 2.45.2
> > > 
> > > Any comments regarding these changes, shall we also use 0755 in
> > > the
> > > systemd service?
> > 
> > That's fine, although the changes are really academic, as root/the
> > owner can write and move those files just fine, even without
> > explicit
> > write permissions.
> 
> With chmod, yes. A build process that expects created directories to
> be
> writable for the user running the build fails. Sure, it'd be possible
> to
> add a workaround, but it's better to fix the issue at the source.

Please mention in the commit message that this is to fix problems with
build systems that run as non-root.

> > The point made about the stopping the running daemon from writing
> > to
> > /etc is on point though, which could be fixed by something like:
> > diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
> > index 8ebe89bec682..ddaa9d444eed 100644
> > --- a/src/bluetooth.service.in
> > +++ b/src/bluetooth.service.in
> > @@ -15,7 +15,7 @@ LimitNPROC=1
> > 
> >   # Filesystem lockdown
> >   ProtectHome=true
> > -ProtectSystem=strict
> > +ProtectSystem=full
> >   PrivateTmp=true
> >   ProtectKernelTunables=true
> >   ProtectControlGroups=true
> > 
> > See
> > https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectSystem=
> As I understand the documentation there "strict" implies "full":
> 
> > If true, mounts the /usr/ and the boot loader directories (/boot
> > and /efi) read-only for processes invoked by this unit. If set to
> > "full", the /etc/ directory is mounted read-only, too. If set to
> > "strict" the entire file system hierarchy is mounted read-only,
> > except for the API file system subtrees /dev/, /proc/ and /sys/
> > (protect these directories using PrivateDevices=,
> > ProtectKernelTunables=, ProtectControlGroups=).
> 
> So switching from strict to full would actually weaken protection,
> though /etc should be read-only either way.

Right, I had that backwards.