Gordon Messmer wrote:

On 1/13/20 2:26 AM, James Pearson wrote:

...

Which is a pity, as it's either an all or nothing with Bluetooth, which means we can't use Bluetooth for Wacom tablets without opening up access to file transfer over Bluetooth as well ...

What is the threat you're trying to mitigate, specifically?  I don't see how pairing a tablet would allow file transfers.  An unauthorized device can't unilaterally pair with your system.

If you enable Bluetooth on a workstation (by starting the 'bluetooth' service), then a normal user on the workstation can (for example) transfer files to/from a mobile phone - which is something we don't allow

Users don't have to have any special perms to do this - users can pair with any Bluetooth devices they want

i.e. it isn't possible to control what a user can and can't do with Bluetooth - so it isn't possible to allow pairing with just particular (or classes of) Bluetooth devices

James Pearson

Phil Perry wrote:

...

...

What is the threat you're trying to mitigate, specifically?  I don't see how pairing a tablet would allow file transfers.  An unauthorized device can't unilaterally pair with your system.

If you enable Bluetooth on a workstation (by starting the 'bluetooth' service), then a normal user on the workstation can (for example) transfer files to/from a mobile phone - which is something we don't allow

Users don't have to have any special perms to do this - users can pair with any Bluetooth devices they want

i.e. it isn't possible to control what a user can and can't do with Bluetooth - so it isn't possible to allow pairing with just particular (or classes of) Bluetooth devices

Is it possible to control behaviour with udev rules?

No idea - I haven't found anything that allows you to 'control' Bluetooth - including any mention of udev rules

I have no idea if udev could be used in this way - nor where to start in creating possible udev rules :-)

I asked my original question on the linux-bluetooth email list - and the only suggestion was hacking the Bluetooth kernel modules to 'filter connection requests at the PSM level' ...

Thanks

James Pearson

Leon Fauster via CentOS wrote:

...

...

Is it possible to control behaviour with udev rules?

No idea - I haven't found anything that allows you to 'control' Bluetooth - including any mention of udev rules

I have no idea if udev could be used in this way - nor where to start in creating possible udev rules :-)

I asked my original question on the linux-bluetooth email list - and the only suggestion was hacking the Bluetooth kernel modules to 'filter connection requests at the PSM level' ...

Whats the bus that your BT is connected to, USB?

I'm testing on a laptop that has built-in BT - although lsusb lists:

Bus 002 Device 003: ID 0cf3:e005 Qualcomm Atheros Communications

which I believe is the BT controller

James Pearson

Leon Fauster via CentOS wrote:

...

...

Whats the bus that your BT is connected to, USB?

I'm testing on a laptop that has built-in BT - although lsusb lists:

Bus 002 Device 003: ID 0cf3:e005 Qualcomm Atheros Communications

which I believe is the BT controller

I never tested it with BT devices, just with "plain" usb devices but maybe its worth to take a look at the usbguard package. It supports whitelisting devices ...

I've never used USBGuard - but I don't think it will help here

Although the BT controller is a USB device, what devices are connected over BT are not

I guess you can think of the BT controller in a similar way as, say, a USB network adapter - the NIC is a USB device, but what it connects to over the network are not.

In the NIC case, you could use something like firewall rules to control what can and can't be connected to - but there doesn't seem to be anything similar for BT connections/devices

James Pearson