From 505b3c96649c24c2296e512e7df6e549261965b5 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 14 2020 01:08:33 +0000 Subject: import bluez-5.52-1.el8 --- diff --git a/.bluez.metadata b/.bluez.metadata index 2dce898..b8a0111 100644 --- a/.bluez.metadata +++ b/.bluez.metadata @@ -1 +1 @@ -a59289c91ccb7fac248e916838d4e66d7936151e SOURCES/bluez-5.50.tar.xz +75e907922a62588c12d5642293403be0625b4d02 SOURCES/bluez-5.52.tar.xz diff --git a/.gitignore b/.gitignore index 50d3db5..3348dc8 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/bluez-5.50.tar.xz +SOURCES/bluez-5.52.tar.xz diff --git a/SOURCES/0001-build-Always-define-confdir-and-statedir.patch b/SOURCES/0001-build-Always-define-confdir-and-statedir.patch index 6e0c8ca..affb28a 100644 --- a/SOURCES/0001-build-Always-define-confdir-and-statedir.patch +++ b/SOURCES/0001-build-Always-define-confdir-and-statedir.patch @@ -1,35 +1,41 @@ +From 5a62336f4da3a2d1a1ab38d03980d57844bce147 Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Mon, 8 Jun 2020 20:56:46 +0530 +Subject: [PATCH BlueZ 1/4] build: Always define confdir and statedir + From 69d2e7bebb79f500179298c6c51fafbc217df6c8 Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Wed, 20 Sep 2017 12:49:10 +0200 -Subject: [PATCH 1/4] build: Always define confdir and statedir + +build: Always define confdir and statedir As we will need those paths to lock down on them. --- - Makefile.am | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) + Makefile.am | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Makefile.am b/Makefile.am -index 555f301ca..1c38d94e5 100644 +index 84c9712c9..6e77ed91e 100644 --- a/Makefile.am +++ b/Makefile.am -@@ -30,14 +30,14 @@ include_HEADERS = - AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) +@@ -31,14 +31,15 @@ pkginclude_HEADERS = + AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) $(UDEV_CFLAGS) $(ell_cflags) AM_LDFLAGS = $(MISC_LDFLAGS) +confdir = $(sysconfdir)/bluetooth +statedir = $(localstatedir)/lib/bluetooth + if DATAFILES - dbusdir = @DBUS_CONFDIR@/dbus-1/system.d + dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d dbus_DATA = src/bluetooth.conf -confdir = $(sysconfdir)/bluetooth conf_DATA = -- + -statedir = $(localstatedir)/lib/bluetooth state_DATA = endif -- -2.14.1 +2.21.1 diff --git a/SOURCES/0001-build-Enable-BIND_NOW.patch b/SOURCES/0001-build-Enable-BIND_NOW.patch deleted file mode 100644 index b7c7e57..0000000 --- a/SOURCES/0001-build-Enable-BIND_NOW.patch +++ /dev/null @@ -1,31 +0,0 @@ -From e45c8fdcb3d7cdb654f6819c02d1bbb5b40b6116 Mon Sep 17 00:00:00 2001 -From: Florian Weimer -Date: Thu, 7 Nov 2013 09:23:35 +0100 -Subject: [PATCH 1/4] build: Enable BIND_NOW - -Partial RELRO means that the object is GNU_RELRO but not BIND_NOW. This -reduces the effectiveness of RELRO. bluez triggers this because it -enables PIE during the build, and rpmdiff takes this as an indicator -that the best possible hardening is desired. - -https://bugzilla.redhat.com/show_bug.cgi?id=983161 ---- - acinclude.m4 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/acinclude.m4 b/acinclude.m4 -index bc39c6d73..efce2f3cb 100644 ---- a/acinclude.m4 -+++ b/acinclude.m4 -@@ -50,7 +50,7 @@ AC_DEFUN([MISC_FLAGS], [ - if (test "${enableval}" = "yes" && - test "${ac_cv_prog_cc_pie}" = "yes"); then - misc_cflags="$misc_cflags -fPIC" -- misc_ldflags="$misc_ldflags -pie" -+ misc_ldflags="$misc_ldflags -pie -Wl,-z,now" - fi - ]) - if (test "$enable_coverage" = "yes"); then --- -2.14.1 - diff --git a/SOURCES/0001-core-Add-AlwaysPairable-to-main.conf.patch b/SOURCES/0001-core-Add-AlwaysPairable-to-main.conf.patch deleted file mode 100644 index 1242069..0000000 --- a/SOURCES/0001-core-Add-AlwaysPairable-to-main.conf.patch +++ /dev/null @@ -1,151 +0,0 @@ -From 4aa826664dd5d6e784162c2393149ecb01550fb1 Mon Sep 17 00:00:00 2001 -From: Gopal Tiwari -Date: Wed, 18 Dec 2019 19:31:49 +0530 -Subject: [PATCH BlueZ 1/2] core: Add AlwaysPairable to main.conf - -commit 1880b299086659844889cdaf687133aca5eaf102 -Author: Luiz Augusto von Dentz -Date: Fri Jul 27 11:14:04 2018 +0300 - - core: Add AlwaysPairable to main.conf - - This adds a new option called AlwaysPairable to main.conf, it can be - used to enable Adapter.Pairable even in case there is no Agent - available. - - Since that could be consider a security problem to allow pairing - without user's consent the option defaults to false. ---- - src/adapter.c | 16 +++++++++++++++- - src/agent.h | 7 +++++++ - src/device.c | 2 -- - src/hcid.h | 1 + - src/main.c | 11 +++++++++++ - src/main.conf | 5 +++++ - 6 files changed, 39 insertions(+), 3 deletions(-) - -diff --git a/src/adapter.c b/src/adapter.c -index af340fd6e..720621f47 100644 ---- a/src/adapter.c -+++ b/src/adapter.c -@@ -7754,6 +7754,19 @@ int adapter_set_io_capability(struct btd_adapter *adapter, uint8_t io_cap) - { - struct mgmt_cp_set_io_capability cp; - -+ if (!main_opts.pairable) { -+ if (io_cap == IO_CAPABILITY_INVALID) { -+ if (adapter->current_settings & MGMT_SETTING_BONDABLE) -+ set_mode(adapter, MGMT_OP_SET_BONDABLE, 0x00); -+ -+ return 0; -+ } -+ -+ if (!(adapter->current_settings & MGMT_SETTING_BONDABLE)) -+ set_mode(adapter, MGMT_OP_SET_BONDABLE, 0x01); -+ } else if (io_cap == IO_CAPABILITY_INVALID) -+ io_cap = IO_CAPABILITY_NOINPUTNOOUTPUT; -+ - memset(&cp, 0, sizeof(cp)); - cp.io_capability = io_cap; - -@@ -8682,7 +8695,8 @@ static void read_info_complete(uint8_t status, uint16_t length, - - set_name(adapter, btd_adapter_get_name(adapter)); - -- if (!(adapter->current_settings & MGMT_SETTING_BONDABLE)) -+ if (main_opts.pairable && -+ !(adapter->current_settings & MGMT_SETTING_BONDABLE)) - set_mode(adapter, MGMT_OP_SET_BONDABLE, 0x01); - - if (!kernel_conn_control) -diff --git a/src/agent.h b/src/agent.h -index 1e4692036..f14d14325 100644 ---- a/src/agent.h -+++ b/src/agent.h -@@ -22,6 +22,13 @@ - * - */ - -+#define IO_CAPABILITY_DISPLAYONLY 0x00 -+#define IO_CAPABILITY_DISPLAYYESNO 0x01 -+#define IO_CAPABILITY_KEYBOARDONLY 0x02 -+#define IO_CAPABILITY_NOINPUTNOOUTPUT 0x03 -+#define IO_CAPABILITY_KEYBOARDDISPLAY 0x04 -+#define IO_CAPABILITY_INVALID 0xFF -+ - struct agent; - - typedef void (*agent_cb) (struct agent *agent, DBusError *err, -diff --git a/src/device.c b/src/device.c -index 4f1af7012..0d7907a69 100644 ---- a/src/device.c -+++ b/src/device.c -@@ -75,8 +75,6 @@ - #include "attrib-server.h" - #include "eir.h" - --#define IO_CAPABILITY_NOINPUTNOOUTPUT 0x03 -- - #define DISCONNECT_TIMER 2 - #define DISCOVERY_TIMER 1 - #define INVALID_FLAGS 0xff -diff --git a/src/hcid.h b/src/hcid.h -index 2c2b89d9c..ba250578a 100644 ---- a/src/hcid.h -+++ b/src/hcid.h -@@ -38,6 +38,7 @@ typedef enum { - struct main_opts { - char *name; - uint32_t class; -+ gboolean pairable; - uint32_t pairto; - uint32_t discovto; - uint8_t privacy; -diff --git a/src/main.c b/src/main.c -index 7e6af42cd..156406343 100644 ---- a/src/main.c -+++ b/src/main.c -@@ -81,6 +81,7 @@ static const char *supported_options[] = { - "Name", - "Class", - "DiscoverableTimeout", -+ "AlwaysPairable" - "PairableTimeout", - "DeviceID", - "ReverseServiceDiscovery", -@@ -287,6 +288,16 @@ static void parse_config(GKeyFile *config) - main_opts.discovto = val; - } - -+ boolean = g_key_file_get_boolean(config, "General", -+ "AlwaysPairable", &err); -+ if (err) { -+ DBG("%s", err->message); -+ g_clear_error(&err); -+ } else { -+ DBG("pairable=%s", boolean ? "true" : "false"); -+ main_opts.pairable = boolean; -+ } -+ - val = g_key_file_get_integer(config, "General", - "PairableTimeout", &err); - if (err) { -diff --git a/src/main.conf b/src/main.conf -index cbae32ec5..0d480d183 100644 ---- a/src/main.conf -+++ b/src/main.conf -@@ -13,6 +13,11 @@ - # 0 = disable timer, i.e. stay discoverable forever - #DiscoverableTimeout = 0 - -+# Always allow pairing even if there are no agent registered -+# Possible values: true, false -+# Default: false -+#AlwaysPairable = false -+ - # How long to stay in pairable mode before going back to non-discoverable - # The value is in seconds. Default is 0. - # 0 = disable timer, i.e. stay pairable forever --- -2.17.2 - diff --git a/SOURCES/0002-agent-Make-the-first-agent-to-register-the-default.patch b/SOURCES/0002-agent-Make-the-first-agent-to-register-the-default.patch deleted file mode 100644 index abe2dc0..0000000 --- a/SOURCES/0002-agent-Make-the-first-agent-to-register-the-default.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 997fd427eab3770d11f3d0c9f04629a6cefc22b4 Mon Sep 17 00:00:00 2001 -From: Gopal Tiwari -Date: Wed, 18 Dec 2019 19:33:33 +0530 -Subject: [PATCH BlueZ 2/2] agent: Make the first agent to register the - default - -commit 9213ff7642a33aa481e3c61989ad60f7985b9984 -Author: Luiz Augusto von Dentz -Date: Fri Jul 27 11:01:04 2018 +0300 - - agent: Make the first agent to register the default - - This simplifies the handling of default agent and enforce the IO - capabilities to be set whenever there is an agent available in the - system. ---- - src/agent.c | 14 ++++++-------- - 1 file changed, 6 insertions(+), 8 deletions(-) - -diff --git a/src/agent.c b/src/agent.c -index ff44d5755..183e2f190 100644 ---- a/src/agent.c -+++ b/src/agent.c -@@ -50,13 +50,6 @@ - #include "agent.h" - #include "shared/queue.h" - --#define IO_CAPABILITY_DISPLAYONLY 0x00 --#define IO_CAPABILITY_DISPLAYYESNO 0x01 --#define IO_CAPABILITY_KEYBOARDONLY 0x02 --#define IO_CAPABILITY_NOINPUTNOOUTPUT 0x03 --#define IO_CAPABILITY_KEYBOARDDISPLAY 0x04 --#define IO_CAPABILITY_INVALID 0xFF -- - #define REQUEST_TIMEOUT (60 * 1000) /* 60 seconds */ - #define AGENT_INTERFACE "org.bluez.Agent1" - -@@ -150,7 +143,7 @@ static void set_io_cap(struct btd_adapter *adapter, gpointer user_data) - if (agent) - io_cap = agent->capability; - else -- io_cap = IO_CAPABILITY_NOINPUTNOOUTPUT; -+ io_cap = IO_CAPABILITY_INVALID; - - adapter_set_io_capability(adapter, io_cap); - } -@@ -294,6 +287,11 @@ static struct agent *agent_create( const char *name, const char *path, - name, agent_disconnect, - agent, NULL); - -+ if (queue_isempty(default_agents)) -+ add_default_agent(agent); -+ else -+ queue_push_tail(default_agents, agent); -+ - return agent_ref(agent); - } - --- -2.17.2 - diff --git a/SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch b/SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch index cd9f69e..dce19e1 100644 --- a/SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch +++ b/SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch @@ -1,7 +1,13 @@ +From 98826d0717fe831265256f996c9e90d15262bef1 Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Mon, 8 Jun 2020 19:54:24 +0530 +Subject: [PATCH BlueZ 2/4] systemd: Add PrivateTmp and NoNewPrivileges options + From 4570164f0c90603bd07eb9e7c07e17bbafb5b5da Mon Sep 17 00:00:00 2001 From: Craig Andrews Date: Wed, 13 Sep 2017 15:23:09 +0200 -Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options + +systemd: Add PrivateTmp and NoNewPrivileges options PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different namespace. This is useful to secure access to temporary files of the @@ -15,7 +21,7 @@ possible privilege escalations. 1 file changed, 6 insertions(+) diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in -index f799f65f0..a6f3030f9 100644 +index f9faaa452..7c2f60bb4 100644 --- a/src/bluetooth.service.in +++ b/src/bluetooth.service.in @@ -12,8 +12,14 @@ NotifyAccess=main @@ -34,5 +40,5 @@ index f799f65f0..a6f3030f9 100644 [Install] WantedBy=bluetooth.target -- -2.14.1 +2.21.1 diff --git a/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch b/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch index 6d14e2e..139fb62 100644 --- a/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch +++ b/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch @@ -1,7 +1,13 @@ +From 1da4185a89fba1c14032ab87757e5fb798d76bc0 Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Mon, 8 Jun 2020 19:55:39 +0530 +Subject: [PATCH BlueZ 3/4] systemd: Add more filesystem lockdown + From 73a9c0902e7c97adf96e735407a75033152c04a9 Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Wed, 13 Sep 2017 15:37:11 +0200 -Subject: [PATCH 3/4] systemd: Add more filesystem lockdown + +systemd: Add more filesystem lockdown We can only access the configuration file as read-only and read-write to the Bluetooth cache directory and sub-directories. @@ -11,20 +17,20 @@ to the Bluetooth cache directory and sub-directories. 2 files changed, 6 insertions(+) diff --git a/Makefile.am b/Makefile.am -index 1c38d94e5..13ccf9079 100644 +index cdd2fd8fb..0af1a8c45 100644 --- a/Makefile.am +++ b/Makefile.am -@@ -478,6 +478,8 @@ MAINTAINERCLEANFILES = Makefile.in \ +@@ -580,6 +580,8 @@ MAINTAINERCLEANFILES = Makefile.in \ SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \ - $(SED) -e 's,@libexecdir\@,$(libexecdir),g' \ + $(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \ + -e 's,@statedir\@,$(statedir),g' \ + -e 's,@confdir\@,$(confdir),g' \ < $< > $@ %.service: %.service.in Makefile diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in -index a6f3030f9..7e55b5043 100644 +index 7c2f60bb4..4daedef2a 100644 --- a/src/bluetooth.service.in +++ b/src/bluetooth.service.in @@ -17,6 +17,10 @@ LimitNPROC=1 @@ -39,5 +45,5 @@ index a6f3030f9..7e55b5043 100644 # Privilege escalation NoNewPrivileges=true -- -2.14.1 +2.21.1 diff --git a/SOURCES/0003-tools-csr_usb-Fix-compilation-failure.patch b/SOURCES/0003-tools-csr_usb-Fix-compilation-failure.patch deleted file mode 100644 index 1113fe7..0000000 --- a/SOURCES/0003-tools-csr_usb-Fix-compilation-failure.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 07a12a6685ea57be18f39e349dbc42e4af3744ed Mon Sep 17 00:00:00 2001 -From: Bastien Nocera -Date: Tue, 5 Sep 2017 10:32:15 +0200 -Subject: [PATCH 3/4] tools/csr_usb: Fix compilation failure - -GCC's "format-nonliteral" security check is enabled as an error in -recent versions of Fedora. Given the reduced scope of use, mark the -error as ignorable through pragma. - -tools/csr_usb.c: In function 'read_value': -tools/csr_usb.c:82:2: error: format not a string literal, argument types not checked [-Werror=format-nonliteral] - n = fscanf(file, format, &value); - ^ ---- - tools/csr_usb.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/tools/csr_usb.c b/tools/csr_usb.c -index a1d7324f7..33e9968a2 100644 ---- a/tools/csr_usb.c -+++ b/tools/csr_usb.c -@@ -67,6 +67,8 @@ struct usbfs_bulktransfer { - #define USBFS_IOCTL_CLAIMINTF _IOR('U', 15, unsigned int) - #define USBFS_IOCTL_RELEASEINTF _IOR('U', 16, unsigned int) - -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wformat-nonliteral" - static int read_value(const char *name, const char *attr, const char *format) - { - char path[PATH_MAX]; -@@ -88,6 +90,7 @@ static int read_value(const char *name, const char *attr, const char *format) - fclose(file); - return value; - } -+#pragma GCC diagnostic pop - - static char *check_device(const char *name) - { --- -2.14.1 - diff --git a/SOURCES/0004-systemd-More-lockdown.patch b/SOURCES/0004-systemd-More-lockdown.patch index 3ad3e14..ea1ac67 100644 --- a/SOURCES/0004-systemd-More-lockdown.patch +++ b/SOURCES/0004-systemd-More-lockdown.patch @@ -1,7 +1,13 @@ +From 9a7872f04cb748e8de743d9136ecd91539d13cb7 Mon Sep 17 00:00:00 2001 +From: Gopal Tiwari +Date: Mon, 8 Jun 2020 19:56:42 +0530 +Subject: [PATCH BlueZ 4/4] systemd: More lockdown + From 171d812218883281fed57b57fafd5c18eac441ac Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Wed, 13 Sep 2017 15:38:26 +0200 -Subject: [PATCH 4/4] systemd: More lockdown + +systemd: More lockdown bluetoothd does not need to execute mapped memory, or real-time access, so block those. @@ -10,7 +16,7 @@ access, so block those. 1 file changed, 6 insertions(+) diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in -index 7e55b5043..e8267b338 100644 +index 4daedef2a..f18801866 100644 --- a/src/bluetooth.service.in +++ b/src/bluetooth.service.in @@ -22,9 +22,15 @@ ProtectControlGroups=true @@ -30,5 +36,5 @@ index 7e55b5043..e8267b338 100644 WantedBy=bluetooth.target Alias=dbus-org.bluez.service -- -2.14.1 +2.21.1 diff --git a/SPECS/bluez.spec b/SPECS/bluez.spec index a6c1811..8a11617 100644 --- a/SPECS/bluez.spec +++ b/SPECS/bluez.spec @@ -1,7 +1,7 @@ Name: bluez Summary: Bluetooth utilities -Version: 5.50 -Release: 4%{?dist} +Version: 5.52 +Release: 1%{?dist} License: GPLv2+ URL: http://www.bluez.org/ @@ -15,8 +15,8 @@ Source3: btattach-bcm@.service Source4: btattach-bcm-service.sh # https://github.com/hadess/bluez/commits/build-fixes-5.46 -Patch1: 0001-build-Enable-BIND_NOW.patch -Patch2: 0003-tools-csr_usb-Fix-compilation-failure.patch +#Patch1: 0001-build-Enable-BIND_NOW.patch +#Patch2: 0003-tools-csr_usb-Fix-compilation-failure.patch # https://github.com/hadess/bluez/commits/obex-5.46 Patch3: 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch @@ -33,8 +33,8 @@ Patch23: 0004-systemd-More-lockdown.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1567622 Patch24: 0001-adapter-Don-t-refresh-adv_manager-for-non-LE-devices.patch -Patch25: 0001-core-Add-AlwaysPairable-to-main.conf.patch -Patch26: 0002-agent-Make-the-first-agent-to-register-the-default.patch +#Patch25: 0001-core-Add-AlwaysPairable-to-main.conf.patch +#Patch26: 0002-agent-Make-the-first-agent-to-register-the-default.patch Patch27: 0001-HOGP-must-only-accept-data-from-bonded-devices.patch Patch28: 0002-HID-accepts-bonded-device-connections-only.patch @@ -226,6 +226,7 @@ make check %{_bindir}/mpris-proxy %{_bindir}/gatttool %{_bindir}/rctest +%{_datadir}/zsh/site-functions/_bluetoothctl %{_mandir}/man1/btattach.1.gz %{_mandir}/man1/ciptool.1.gz %{_mandir}/man1/hcitool.1.gz @@ -247,6 +248,7 @@ make check %{_unitdir}/btattach-bcm@.service %{_udevrulesdir}/69-btattach-bcm.rules + %files libs %{!?_licensedir:%global license %%doc} %license COPYING @@ -272,6 +274,9 @@ make check %{_userunitdir}/obex.service %changelog +* Tue Jun 9 2020 Gopal Tiwari - 5.52-1 ++ bluez-5.52-1 +- Fixing (#1830397) * Fri Apr 24 2020 Gopal Tiwari - 5.50-4 + bluez-5.50-4