Merge pull request #136 from linuxserver/btsetcap

add caps to python binary for bt stack access
2026-02-20 08:40:45 +08:00 · 2025-09-19 16:18:00 -04:00 · 2025-09-19 16:18:00 -04:00 · c8fe2d1b0c
commit c8fe2d1b0c
parent f23e627d71 f694b4752f
7 changed files with 16 additions and 5 deletions
--- a/.editorconfig
+++ b/.editorconfig
--- a/.github/ISSUE_TEMPLATE/issue.bug.yml
+++ b/.github/ISSUE_TEMPLATE/issue.bug.yml
--- a/.github/ISSUE_TEMPLATE/issue.feature.yml
+++ b/.github/ISSUE_TEMPLATE/issue.feature.yml
--- a/.github/workflows/permissions.yml
+++ b/.github/workflows/permissions.yml
--- a/README.md
+++ b/README.md
@ -77,7 +77,7 @@ In order to provide HA with access to the host's Bluetooth device, one needs to

 #### Docker Cli:
 ```bash
--cap-add=NET_ADMIN --cap-add=NET_RAW -v /var/run/dbus:/var/run/dbus:ro
+--cap-add=NET_ADMIN --cap-add=NET_RAW -v /run/dbus:/run/dbus:ro
 ```

 #### Docker Compose:
@ -86,9 +86,11 @@ In order to provide HA with access to the host's Bluetooth device, one needs to
      - NET_ADMIN
      - NET_RAW
    volumes:
-      - /var/run/dbus:/var/run/dbus:ro
+      - /run/dbus:/run/dbus:ro
 ```

+If the dbus path on host differs, such as `/var/run/dbus`, then you can map it as `/var/run/dbus:/run/dbus:ro`.
+
 ### Using the Ping integration

 For the [Ping][ping0] integration to work, the capability `NET_RAW` must be added to the container. See above for instructions.
@ -316,6 +318,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64

 ## Versions

+* **19.09.25:** - Add the necessary capabilities in the container to allow the unprivileged user access to bluetooth stack.
 * **03.01.25:** - Rebase to alpine 3.21.
 * **04.12.24:** - Make setcap target dynamic.
 * **07.11.24:** - Add go2rtc binary.
--- a/readme-vars.yml
+++ b/readme-vars.yml
@ -51,7 +51,7 @@ app_setup_block: |

  #### Docker Cli:
  ```bash
-  --cap-add=NET_ADMIN --cap-add=NET_RAW -v /var/run/dbus:/var/run/dbus:ro
+  --cap-add=NET_ADMIN --cap-add=NET_RAW -v /run/dbus:/run/dbus:ro
  ```

  #### Docker Compose:
@ -60,9 +60,11 @@ app_setup_block: |
        - NET_ADMIN
        - NET_RAW
      volumes:
-        - /var/run/dbus:/var/run/dbus:ro
+        - /run/dbus:/run/dbus:ro
  ```

+  If the dbus path on host differs, such as `/var/run/dbus`, then you can map it as `/var/run/dbus:/run/dbus:ro`.
+
  ### Using the Ping integration

  For the [Ping][ping0] integration to work, the capability `NET_RAW` must be added to the container. See above for instructions.
@ -114,6 +116,7 @@ init_diagram: |
  "homeassistant:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "19.09.25:", desc: "Add the necessary capabilities in the container to allow the unprivileged user access to bluetooth stack."}
  - {date: "03.01.25:", desc: "Rebase to alpine 3.21."}
  - {date: "04.12.24:", desc: "Make setcap target dynamic."}
  - {date: "07.11.24:", desc: "Add go2rtc binary."}
--- a/root/etc/s6-overlay/s6-rc.d/svc-homeassistant/run
+++ b/root/etc/s6-overlay/s6-rc.d/svc-homeassistant/run
@ -3,7 +3,12 @@

 PY_LOCAL_PATH=$(find /usr/local/lib -maxdepth 1 -name python* -type d)
 PY_LOCAL_BIN=$(basename "${PY_LOCAL_PATH}")
-setcap 'cap_net_bind_service=+ep' "/usr/local/bin/${PY_LOCAL_BIN}"
+if capsh --has-p=cap_net_admin 2>/dev/null && capsh --has-p=cap_net_raw 2>/dev/null; then
+  echo "Adding cap_net_admin and cap_net_raw to python binary for bt access"
+  setcap 'cap_net_bind_service,cap_net_raw,cap_net_admin=+ep' "/usr/local/bin/${PY_LOCAL_BIN}"
+else
+  setcap 'cap_net_bind_service=+ep' "/usr/local/bin/${PY_LOCAL_BIN}"
+fi

 if [[ -z "${DISABLE_JEMALLOC+x}" ]]; then
  export LD_PRELOAD="/usr/local/lib/libjemalloc.so.2"