[PATCH BlueZ] shared/att: make att channel respect LE socket security level

[PATCH BlueZ] shared/att: make att channel respect LE socket security level

[Lasan Mahaliyana]

This prevents unwanted pairing requests instances where gatt-client tries
to read gatt characteristics that require higher security levels than
defined for the LE socket.

For example connecting to an LE L2CAP CoC socket with BT_SECURITY_LOW,
one would expect to not require pairing. But as the gatt-client starts
automatically for the initiator, if it tries to read characteristics which
require higher security levels, it fails and tries to elevate security
level. Which would prompt pairing.

Which makes it impossible to initiate a LE L2CAP CoC socket with
BT_SECURITY_LOW with some devices.
---
 src/shared/att.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/src/shared/att.c b/src/shared/att.c
index 77ca4aa24..ac527fccf 100644
--- a/src/shared/att.c
+++ b/src/shared/att.c
@@ -1193,6 +1193,23 @@ static uint8_t io_get_type(int fd)
 	return BT_ATT_LE;
 }
 
+static int io_get_security(int fd)
+{
+	struct bt_security sec;
+	socklen_t len;
+
+	if (!is_io_l2cap_based(fd))
+		return BT_ATT_SECURITY_LOW;
+
+	memset(&sec, 0, sizeof(sec));
+	len = sizeof(sec);
+
+	if (getsockopt(fd, SOL_BLUETOOTH, BT_SECURITY, &sec, &len) < 0)
+		return BT_ATT_SECURITY_AUTO;
+
+	return sec.level;
+}
+
 static struct bt_att_chan *bt_att_chan_new(int fd, uint8_t type)
 {
 	struct bt_att_chan *chan;
@@ -1219,6 +1236,10 @@ static struct bt_att_chan *bt_att_chan_new(int fd, uint8_t type)
 		chan->sec_level = BT_ATT_SECURITY_LOW;
 		/* fall through */
 	case BT_ATT_LE:
+		/* respect the current L2CAP socket security level */
+		if (chan->type == BT_ATT_LE)
+			chan->sec_level = io_get_security(fd);
+
 		chan->mtu = BT_ATT_DEFAULT_LE_MTU;
 		break;
 	default:
-- 
2.52.0

RE: [BlueZ] shared/att: make att channel respect LE socket security level

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1262 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1049845

---Test result---

Test Summary:
CheckPatch                    PENDING   0.52 seconds
GitLint                       PENDING   0.39 seconds
BuildEll                      PASS      20.02 seconds
BluezMake                     PASS      647.34 seconds
MakeCheck                     PASS      18.93 seconds
MakeDistcheck                 PASS      241.71 seconds
CheckValgrind                 PASS      294.33 seconds
CheckSmatch                   PASS      348.48 seconds
bluezmakeextell               PASS      181.38 seconds
IncrementalBuild              PENDING   0.41 seconds
ScanBuild                     PASS      1016.02 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth

Re: [PATCH BlueZ] shared/att: make att channel respect LE socket security level

[Luiz Augusto von Dentz]

Hi Lasan,

On Mon, Feb 2, 2026 at 10:37 AM Lasan Mahaliyana <limahaliyana@gmail.com> wrote:
>
> This prevents unwanted pairing requests instances where gatt-client tries
> to read gatt characteristics that require higher security levels than
> defined for the LE socket.
>
> For example connecting to an LE L2CAP CoC socket with BT_SECURITY_LOW,
> one would expect to not require pairing. But as the gatt-client starts
> automatically for the initiator, if it tries to read characteristics which
> require higher security levels, it fails and tries to elevate security
> level. Which would prompt pairing.
>
> Which makes it impossible to initiate a LE L2CAP CoC socket with
> BT_SECURITY_LOW with some devices.
> ---
>  src/shared/att.c | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)
>
> diff --git a/src/shared/att.c b/src/shared/att.c
> index 77ca4aa24..ac527fccf 100644
> --- a/src/shared/att.c
> +++ b/src/shared/att.c
> @@ -1193,6 +1193,23 @@ static uint8_t io_get_type(int fd)
>         return BT_ATT_LE;
>  }
>
> +static int io_get_security(int fd)
> +{
> +       struct bt_security sec;
> +       socklen_t len;
> +
> +       if (!is_io_l2cap_based(fd))
> +               return BT_ATT_SECURITY_LOW;
> +
> +       memset(&sec, 0, sizeof(sec));
> +       len = sizeof(sec);
> +
> +       if (getsockopt(fd, SOL_BLUETOOTH, BT_SECURITY, &sec, &len) < 0)
> +               return BT_ATT_SECURITY_AUTO;
> +
> +       return sec.level;
> +}
> +
>  static struct bt_att_chan *bt_att_chan_new(int fd, uint8_t type)
>  {
>         struct bt_att_chan *chan;
> @@ -1219,6 +1236,10 @@ static struct bt_att_chan *bt_att_chan_new(int fd, uint8_t type)
>                 chan->sec_level = BT_ATT_SECURITY_LOW;
>                 /* fall through */
>         case BT_ATT_LE:
> +               /* respect the current L2CAP socket security level */
> +               if (chan->type == BT_ATT_LE)
> +                       chan->sec_level = io_get_security(fd);

Nack, by respect here it means don't use BT_ATT_SECURITY_AUTO so it
breaks the likes of change_security in the process, what you should
probably do is to identify what attribute is requiring security and
then simply don't read it (by disabling the plugin if that is the code
that originates it).

>                 chan->mtu = BT_ATT_DEFAULT_LE_MTU;
>                 break;
>         default:
> --
> 2.52.0
>


-- 
Luiz Augusto von Dentz