I've managed to get a Wacom Intuos Pro 2 (PTH-660) tablet working over Bluetooth to a CentOS 7 install. Well, I didn't actually have to do much to get it working ...
However, we don't normally enable Bluetooth for security reasons, so I need to be able to configure things so Bluetooth can _only_ be used to pair with Wacom tablets
As I never used Bluetooth in anger before, I'm struggling to find out where to start looking - does anyone know how to do this or any pointers on where I should start?
Thanks
James Pearson
James Pearson wrote:
I've managed to get a Wacom Intuos Pro 2 (PTH-660) tablet working over Bluetooth to a CentOS 7 install. Well, I didn't actually have to do much to get it working ...
However, we don't normally enable Bluetooth for security reasons, so I need to be able to configure things so Bluetooth can _only_ be used to pair with Wacom tablets
As I never used Bluetooth in anger before, I'm struggling to find out where to start looking - does anyone know how to do this or any pointers on where I should start?
To answer my own question - there appears to be nothing either at the kernel or user interface level that can do this - i.e. there is nothing to, say, limit Bluetooth to just HID devices
Which is a pity, as it's either an all or nothing with Bluetooth, which means we can't use Bluetooth for Wacom tablets without opening up access to file transfer over Bluetooth as well ...
James Pearson
On 1/13/20 2:26 AM, James Pearson wrote:
Which is a pity, as it's either an all or nothing with Bluetooth, which means we can't use Bluetooth for Wacom tablets without opening up access to file transfer over Bluetooth as well ...
What is the threat you're trying to mitigate, specifically? I don't see how pairing a tablet would allow file transfers. An unauthorized device can't unilaterally pair with your system.
Gordon Messmer wrote:
On 1/13/20 2:26 AM, James Pearson wrote:
Which is a pity, as it's either an all or nothing with Bluetooth, which means we can't use Bluetooth for Wacom tablets without opening up access to file transfer over Bluetooth as well ...
What is the threat you're trying to mitigate, specifically? I don't see how pairing a tablet would allow file transfers. An unauthorized device can't unilaterally pair with your system.
If you enable Bluetooth on a workstation (by starting the 'bluetooth' service), then a normal user on the workstation can (for example) transfer files to/from a mobile phone - which is something we don't allow
Users don't have to have any special perms to do this - users can pair with any Bluetooth devices they want
i.e. it isn't possible to control what a user can and can't do with Bluetooth - so it isn't possible to allow pairing with just particular (or classes of) Bluetooth devices
James Pearson
On 14/01/2020 10:27, James Pearson wrote:
Gordon Messmer wrote:
On 1/13/20 2:26 AM, James Pearson wrote:
Which is a pity, as it's either an all or nothing with Bluetooth, which means we can't use Bluetooth for Wacom tablets without opening up access to file transfer over Bluetooth as well ...
What is the threat you're trying to mitigate, specifically? I don't see how pairing a tablet would allow file transfers. An unauthorized device can't unilaterally pair with your system.
If you enable Bluetooth on a workstation (by starting the 'bluetooth' service), then a normal user on the workstation can (for example) transfer files to/from a mobile phone - which is something we don't allow
Users don't have to have any special perms to do this - users can pair with any Bluetooth devices they want
i.e. it isn't possible to control what a user can and can't do with Bluetooth - so it isn't possible to allow pairing with just particular (or classes of) Bluetooth devices
Is it possible to control behaviour with udev rules?
Phil Perry wrote:
What is the threat you're trying to mitigate, specifically? I don't see how pairing a tablet would allow file transfers. An unauthorized device can't unilaterally pair with your system.
If you enable Bluetooth on a workstation (by starting the 'bluetooth' service), then a normal user on the workstation can (for example) transfer files to/from a mobile phone - which is something we don't allow
Users don't have to have any special perms to do this - users can pair with any Bluetooth devices they want
i.e. it isn't possible to control what a user can and can't do with Bluetooth - so it isn't possible to allow pairing with just particular (or classes of) Bluetooth devices
Is it possible to control behaviour with udev rules?
No idea - I haven't found anything that allows you to 'control' Bluetooth - including any mention of udev rules
I have no idea if udev could be used in this way - nor where to start in creating possible udev rules :-)
I asked my original question on the linux-bluetooth email list - and the only suggestion was hacking the Bluetooth kernel modules to 'filter connection requests at the PSM level' ...
Thanks
James Pearson
Am 15.01.20 um 15:02 schrieb James Pearson:
Phil Perry wrote:
What is the threat you're trying to mitigate, specifically? I don't see how pairing a tablet would allow file transfers. An unauthorized device can't unilaterally pair with your system.
If you enable Bluetooth on a workstation (by starting the 'bluetooth' service), then a normal user on the workstation can (for example) transfer files to/from a mobile phone - which is something we don't allow
Users don't have to have any special perms to do this - users can pair with any Bluetooth devices they want
i.e. it isn't possible to control what a user can and can't do with Bluetooth - so it isn't possible to allow pairing with just particular (or classes of) Bluetooth devices
Is it possible to control behaviour with udev rules?
No idea - I haven't found anything that allows you to 'control' Bluetooth - including any mention of udev rules
I have no idea if udev could be used in this way - nor where to start in creating possible udev rules :-)
I asked my original question on the linux-bluetooth email list - and the only suggestion was hacking the Bluetooth kernel modules to 'filter connection requests at the PSM level' ...
Whats the bus that your BT is connected to, USB?
-- Leon
Leon Fauster via CentOS wrote:
Is it possible to control behaviour with udev rules?
No idea - I haven't found anything that allows you to 'control' Bluetooth - including any mention of udev rules
I have no idea if udev could be used in this way - nor where to start in creating possible udev rules :-)
I asked my original question on the linux-bluetooth email list - and the only suggestion was hacking the Bluetooth kernel modules to 'filter connection requests at the PSM level' ...
Whats the bus that your BT is connected to, USB?
I'm testing on a laptop that has built-in BT - although lsusb lists:
Bus 002 Device 003: ID 0cf3:e005 Qualcomm Atheros Communications
which I believe is the BT controller
James Pearson
Am 16.01.20 um 12:36 schrieb James Pearson:
Leon Fauster via CentOS wrote:
Is it possible to control behaviour with udev rules?
No idea - I haven't found anything that allows you to 'control' Bluetooth - including any mention of udev rules
I have no idea if udev could be used in this way - nor where to start in creating possible udev rules :-)
I asked my original question on the linux-bluetooth email list - and the only suggestion was hacking the Bluetooth kernel modules to 'filter connection requests at the PSM level' ...
Whats the bus that your BT is connected to, USB?
I'm testing on a laptop that has built-in BT - although lsusb lists:
Bus 002 Device 003: ID 0cf3:e005 Qualcomm Atheros Communications
which I believe is the BT controller
I never tested it with BT devices, just with "plain" usb devices but maybe its worth to take a look at the usbguard package. It supports whitelisting devices ...
-- Leon
Leon Fauster via CentOS wrote:
Whats the bus that your BT is connected to, USB?
I'm testing on a laptop that has built-in BT - although lsusb lists:
Bus 002 Device 003: ID 0cf3:e005 Qualcomm Atheros Communications
which I believe is the BT controller
I never tested it with BT devices, just with "plain" usb devices but maybe its worth to take a look at the usbguard package. It supports whitelisting devices ...
I've never used USBGuard - but I don't think it will help here
Although the BT controller is a USB device, what devices are connected over BT are not
I guess you can think of the BT controller in a similar way as, say, a USB network adapter - the NIC is a USB device, but what it connects to over the network are not.
In the NIC case, you could use something like firewall rules to control what can and can't be connected to - but there doesn't seem to be anything similar for BT connections/devices
James Pearson
-
Gordon Messmer -
James Pearson -
Leon Fauster -
Phil Perry