Skip to content

Instantly share code, notes, and snippets.

@sorted-bits

sorted-bits/README.md

Created March 27, 2024 06:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sorted-bits/7bb39eef89afabf1c454d866ebfb112d to your computer and use it in GitHub Desktop.
Save sorted-bits/7bb39eef89afabf1c454d866ebfb112d to your computer and use it in GitHub Desktop.
Download ZIP
Getting Bluetooth to work on HomeAssistant Docker on Ubuntu 23
Raw
README.md

Dockerfile

Volumes

Make sure you have the following volume mounted in your Dockerfile:

volumes:
  - /var/run/dbus:/var/run/dbus

Security Options

Include this security_opt in the Dockerfile as well:

security_opt:
  - apparmor:docker-ble-policy

AppArmor policy

Create a file called docker-ble-policy with the following content:

#include <tunables/global>

profile docker-ble-policy flags=(attach_disconnected,mediate_deleted) {

  #include <abstractions/base>
  #include <abstractions/dbus-strict>

  dbus (send) bus=system peer=(name=org.bluez, label=unconfined),
  dbus (send, receive) bus=system interface=org.freedesktop.DBus.ObjectManager peer=(label=unconfined),

  network,
  capability,
  file,
  umount,

  signal (send,receive) peer=docker-ble-policy,

  deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
  # deny write to files not in /proc/<number>/** or /proc/sys/**
  deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
  deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
  deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
  deny @{PROC}/sysrq-trigger rwklx,
  deny @{PROC}/kcore rwklx,

  deny mount,

  deny /sys/[^f]*/** wklx,
  deny /sys/f[^s]*/** wklx,
  deny /sys/fs/[^c]*/** wklx,
  deny /sys/fs/c[^g]*/** wklx,
  deny /sys/fs/cg[^r]*/** wklx,
  deny /sys/firmware/** rwklx,
  deny /sys/kernel/security/** rwklx,


  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
  ptrace (trace,read,tracedby,readby) peer=docker-ble-policy,

}

After creating that file, perform the following command:

sudo apparmor_parser -r -W docker-ble-policy

Things I did as well

For these things, I am not sure if this helped, but they didn't hurt:

Install bluez

sudo apt install bluez

Reboot

I did a reboot after all this, just to be sure. I read somewhere that it mattered, sooo 🤷

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment