This gives all access to bluez and is therefore reserved. I was able to successfully transfer a file to my laptop from the device using the shareapp from click #1. I was also able to run both the client and the server of click #2 without denials (but the apps couldn't communicate after connecting (unrelated to apparmor)).
This policy is not read for consumption-- we need trust-store integration in bluez for these to become 'common', but again, wanted to capture the work somewhere in case it is useful in the future.
I'll work on getting these things landed in silos, etc next.
Ok, I examined all the policy and created a very broad profile called "bluetooth": http:// bazaar. launchpad. net/~ubuntu- security/ apparmor- easyprof- ubuntu/ trunk/view/ head:/data/ policygroups/ ubuntu/ 1.3/bluetooth
This gives all access to bluez and is therefore reserved. I was able to successfully transfer a file to my laptop from the device using the shareapp from click #1. I was also able to run both the client and the server of click #2 without denials (but the apps couldn't communicate after connecting (unrelated to apparmor)).
In addition, for future reference and so the investigation is not lost, I committed 'bluetooth-net' and 'bluetooth- file-transfer' in the 'pending/' directory: http:// bazaar. launchpad. net/~ubuntu- security/ apparmor- easyprof- ubuntu/ trunk/files/ head:/pending/ policygroups/
This policy is not read for consumption-- we need trust-store integration in bluez for these to become 'common', but again, wanted to capture the work somewhere in case it is useful in the future.
I'll work on getting these things landed in silos, etc next.