import bluez-5.52-1.el8

# Conflicts:
#	.bluez.metadata
#	.gitignore
#	SOURCES/0001-build-Always-define-confdir-and-statedir.patch
#	SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
#	SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch
#	SOURCES/0004-systemd-More-lockdown.patch
#	SPECS/bluez.spec

.bluez.metadata

@@ -0,0 +1 @@
+75e907922a62588c12d5642293403be0625b4d02 SOURCES/bluez-5.52.tar.xz

.gitignore

@@ -0,0 +1 @@
+SOURCES/bluez-5.52.tar.xz

SOURCES/0001-build-Always-define-confdir-and-statedir.patch

@@ -0,0 +1,41 @@
+From 5a62336f4da3a2d1a1ab38d03980d57844bce147 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Mon, 8 Jun 2020 20:56:46 +0530
+Subject: [PATCH BlueZ 1/4] build: Always define confdir and statedir
+
+From 69d2e7bebb79f500179298c6c51fafbc217df6c8 Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Wed, 20 Sep 2017 12:49:10 +0200
+
+build: Always define confdir and statedir
+
+As we will need those paths to lock down on them.
+---
+ Makefile.am | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 84c9712c9..6e77ed91e 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -31,14 +31,15 @@ pkginclude_HEADERS =
+ AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) $(UDEV_CFLAGS) $(ell_cflags)
+ AM_LDFLAGS = $(MISC_LDFLAGS)
+ 
++confdir = $(sysconfdir)/bluetooth
++statedir = $(localstatedir)/lib/bluetooth
++
+ if DATAFILES
+ dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
+ dbus_DATA = src/bluetooth.conf
+ 
+-confdir = $(sysconfdir)/bluetooth
+ conf_DATA =
+ 
+-statedir = $(localstatedir)/lib/bluetooth
+ state_DATA =
+ endif
+ 
+-- 
+2.21.1
+

SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch

@@ -0,0 +1,44 @@
+From 98826d0717fe831265256f996c9e90d15262bef1 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Mon, 8 Jun 2020 19:54:24 +0530
+Subject: [PATCH BlueZ 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
+
+From 4570164f0c90603bd07eb9e7c07e17bbafb5b5da Mon Sep 17 00:00:00 2001
+From: Craig Andrews <candrews@integralblue.com>
+Date: Wed, 13 Sep 2017 15:23:09 +0200
+
+systemd: Add PrivateTmp and NoNewPrivileges options
+
+PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
+namespace. This is useful to secure access to temporary files of the
+process.
+
+NoNewPrivileges ensures that service process and all its children
+can never gain new privileges through execve(), lowering the risk of
+possible privilege escalations.
+---
+ src/bluetooth.service.in | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
+index f9faaa452..7c2f60bb4 100644
+--- a/src/bluetooth.service.in
++++ b/src/bluetooth.service.in
+@@ -12,8 +12,14 @@ NotifyAccess=main
+ #Restart=on-failure
+ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+ LimitNPROC=1
++
++# Filesystem lockdown
+ ProtectHome=true
+ ProtectSystem=full
++PrivateTmp=true
++
++# Privilege escalation
++NoNewPrivileges=true
+ 
+ [Install]
+ WantedBy=bluetooth.target
+-- 
+2.21.1
+

SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch

@@ -0,0 +1,49 @@
+From 1da4185a89fba1c14032ab87757e5fb798d76bc0 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Mon, 8 Jun 2020 19:55:39 +0530
+Subject: [PATCH BlueZ 3/4] systemd: Add more filesystem lockdown
+
+From 73a9c0902e7c97adf96e735407a75033152c04a9 Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Wed, 13 Sep 2017 15:37:11 +0200
+
+systemd: Add more filesystem lockdown
+
+We can only access the configuration file as read-only and read-write
+to the Bluetooth cache directory and sub-directories.
+---
+ Makefile.am              | 2 ++
+ src/bluetooth.service.in | 4 ++++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/Makefile.am b/Makefile.am
+index cdd2fd8fb..0af1a8c45 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -580,6 +580,8 @@ MAINTAINERCLEANFILES = Makefile.in \
+ 
+ SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
+ 		$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
++		       -e 's,@statedir\@,$(statedir),g' \
++		       -e 's,@confdir\@,$(confdir),g' \
+ 		< $< > $@
+ 
+ %.service: %.service.in Makefile
+diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
+index 7c2f60bb4..4daedef2a 100644
+--- a/src/bluetooth.service.in
++++ b/src/bluetooth.service.in
+@@ -17,6 +17,10 @@ LimitNPROC=1
+ ProtectHome=true
+ ProtectSystem=full
+ PrivateTmp=true
++ProtectKernelTunables=true
++ProtectControlGroups=true
++ReadWritePaths=@statedir@
++ReadOnlyPaths=@confdir@
+ 
+ # Privilege escalation
+ NoNewPrivileges=true
+-- 
+2.21.1
+

SOURCES/0004-systemd-More-lockdown.patch

@@ -0,0 +1,40 @@
+From 9a7872f04cb748e8de743d9136ecd91539d13cb7 Mon Sep 17 00:00:00 2001
+From: Gopal Tiwari <gtiwari@redhat.com>
+Date: Mon, 8 Jun 2020 19:56:42 +0530
+Subject: [PATCH BlueZ 4/4] systemd: More lockdown
+
+From 171d812218883281fed57b57fafd5c18eac441ac Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Wed, 13 Sep 2017 15:38:26 +0200
+
+systemd: More lockdown
+
+bluetoothd does not need to execute mapped memory, or real-time
+access, so block those.
+---
+ src/bluetooth.service.in | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
+index 4daedef2a..f18801866 100644
+--- a/src/bluetooth.service.in
++++ b/src/bluetooth.service.in
+@@ -22,9 +22,15 @@ ProtectControlGroups=true
+ ReadWritePaths=@statedir@
+ ReadOnlyPaths=@confdir@
+ 
++# Execute Mappings
++MemoryDenyWriteExecute=true
++
+ # Privilege escalation
+ NoNewPrivileges=true
+ 
++# Real-time
++RestrictRealtime=true
++
+ [Install]
+ WantedBy=bluetooth.target
+ Alias=dbus-org.bluez.service
+-- 
+2.21.1
+