import bluez-5.52-1.el8
# Conflicts: # .bluez.metadata # .gitignore # SOURCES/0001-build-Always-define-confdir-and-statedir.patch # SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch # SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch # SOURCES/0004-systemd-More-lockdown.patch # SPECS/bluez.spec
This commit is contained in:
commit
08d7f189ee
1
.bluez.metadata
Normal file
1
.bluez.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
75e907922a62588c12d5642293403be0625b4d02 SOURCES/bluez-5.52.tar.xz
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
SOURCES/bluez-5.52.tar.xz
|
41
SOURCES/0001-build-Always-define-confdir-and-statedir.patch
Normal file
41
SOURCES/0001-build-Always-define-confdir-and-statedir.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
From 5a62336f4da3a2d1a1ab38d03980d57844bce147 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gopal Tiwari <gtiwari@redhat.com>
|
||||||
|
Date: Mon, 8 Jun 2020 20:56:46 +0530
|
||||||
|
Subject: [PATCH BlueZ 1/4] build: Always define confdir and statedir
|
||||||
|
|
||||||
|
From 69d2e7bebb79f500179298c6c51fafbc217df6c8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Bastien Nocera <hadess@hadess.net>
|
||||||
|
Date: Wed, 20 Sep 2017 12:49:10 +0200
|
||||||
|
|
||||||
|
build: Always define confdir and statedir
|
||||||
|
|
||||||
|
As we will need those paths to lock down on them.
|
||||||
|
---
|
||||||
|
Makefile.am | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index 84c9712c9..6e77ed91e 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -31,14 +31,15 @@ pkginclude_HEADERS =
|
||||||
|
AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) $(UDEV_CFLAGS) $(ell_cflags)
|
||||||
|
AM_LDFLAGS = $(MISC_LDFLAGS)
|
||||||
|
|
||||||
|
+confdir = $(sysconfdir)/bluetooth
|
||||||
|
+statedir = $(localstatedir)/lib/bluetooth
|
||||||
|
+
|
||||||
|
if DATAFILES
|
||||||
|
dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
|
||||||
|
dbus_DATA = src/bluetooth.conf
|
||||||
|
|
||||||
|
-confdir = $(sysconfdir)/bluetooth
|
||||||
|
conf_DATA =
|
||||||
|
|
||||||
|
-statedir = $(localstatedir)/lib/bluetooth
|
||||||
|
state_DATA =
|
||||||
|
endif
|
||||||
|
|
||||||
|
--
|
||||||
|
2.21.1
|
||||||
|
|
@ -0,0 +1,44 @@
|
|||||||
|
From 98826d0717fe831265256f996c9e90d15262bef1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gopal Tiwari <gtiwari@redhat.com>
|
||||||
|
Date: Mon, 8 Jun 2020 19:54:24 +0530
|
||||||
|
Subject: [PATCH BlueZ 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
|
||||||
|
|
||||||
|
From 4570164f0c90603bd07eb9e7c07e17bbafb5b5da Mon Sep 17 00:00:00 2001
|
||||||
|
From: Craig Andrews <candrews@integralblue.com>
|
||||||
|
Date: Wed, 13 Sep 2017 15:23:09 +0200
|
||||||
|
|
||||||
|
systemd: Add PrivateTmp and NoNewPrivileges options
|
||||||
|
|
||||||
|
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
|
||||||
|
namespace. This is useful to secure access to temporary files of the
|
||||||
|
process.
|
||||||
|
|
||||||
|
NoNewPrivileges ensures that service process and all its children
|
||||||
|
can never gain new privileges through execve(), lowering the risk of
|
||||||
|
possible privilege escalations.
|
||||||
|
---
|
||||||
|
src/bluetooth.service.in | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
|
||||||
|
index f9faaa452..7c2f60bb4 100644
|
||||||
|
--- a/src/bluetooth.service.in
|
||||||
|
+++ b/src/bluetooth.service.in
|
||||||
|
@@ -12,8 +12,14 @@ NotifyAccess=main
|
||||||
|
#Restart=on-failure
|
||||||
|
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
|
||||||
|
LimitNPROC=1
|
||||||
|
+
|
||||||
|
+# Filesystem lockdown
|
||||||
|
ProtectHome=true
|
||||||
|
ProtectSystem=full
|
||||||
|
+PrivateTmp=true
|
||||||
|
+
|
||||||
|
+# Privilege escalation
|
||||||
|
+NoNewPrivileges=true
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=bluetooth.target
|
||||||
|
--
|
||||||
|
2.21.1
|
||||||
|
|
49
SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch
Normal file
49
SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
From 1da4185a89fba1c14032ab87757e5fb798d76bc0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gopal Tiwari <gtiwari@redhat.com>
|
||||||
|
Date: Mon, 8 Jun 2020 19:55:39 +0530
|
||||||
|
Subject: [PATCH BlueZ 3/4] systemd: Add more filesystem lockdown
|
||||||
|
|
||||||
|
From 73a9c0902e7c97adf96e735407a75033152c04a9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Bastien Nocera <hadess@hadess.net>
|
||||||
|
Date: Wed, 13 Sep 2017 15:37:11 +0200
|
||||||
|
|
||||||
|
systemd: Add more filesystem lockdown
|
||||||
|
|
||||||
|
We can only access the configuration file as read-only and read-write
|
||||||
|
to the Bluetooth cache directory and sub-directories.
|
||||||
|
---
|
||||||
|
Makefile.am | 2 ++
|
||||||
|
src/bluetooth.service.in | 4 ++++
|
||||||
|
2 files changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index cdd2fd8fb..0af1a8c45 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -580,6 +580,8 @@ MAINTAINERCLEANFILES = Makefile.in \
|
||||||
|
|
||||||
|
SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
|
||||||
|
$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
|
||||||
|
+ -e 's,@statedir\@,$(statedir),g' \
|
||||||
|
+ -e 's,@confdir\@,$(confdir),g' \
|
||||||
|
< $< > $@
|
||||||
|
|
||||||
|
%.service: %.service.in Makefile
|
||||||
|
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
|
||||||
|
index 7c2f60bb4..4daedef2a 100644
|
||||||
|
--- a/src/bluetooth.service.in
|
||||||
|
+++ b/src/bluetooth.service.in
|
||||||
|
@@ -17,6 +17,10 @@ LimitNPROC=1
|
||||||
|
ProtectHome=true
|
||||||
|
ProtectSystem=full
|
||||||
|
PrivateTmp=true
|
||||||
|
+ProtectKernelTunables=true
|
||||||
|
+ProtectControlGroups=true
|
||||||
|
+ReadWritePaths=@statedir@
|
||||||
|
+ReadOnlyPaths=@confdir@
|
||||||
|
|
||||||
|
# Privilege escalation
|
||||||
|
NoNewPrivileges=true
|
||||||
|
--
|
||||||
|
2.21.1
|
||||||
|
|
40
SOURCES/0004-systemd-More-lockdown.patch
Normal file
40
SOURCES/0004-systemd-More-lockdown.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
From 9a7872f04cb748e8de743d9136ecd91539d13cb7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gopal Tiwari <gtiwari@redhat.com>
|
||||||
|
Date: Mon, 8 Jun 2020 19:56:42 +0530
|
||||||
|
Subject: [PATCH BlueZ 4/4] systemd: More lockdown
|
||||||
|
|
||||||
|
From 171d812218883281fed57b57fafd5c18eac441ac Mon Sep 17 00:00:00 2001
|
||||||
|
From: Bastien Nocera <hadess@hadess.net>
|
||||||
|
Date: Wed, 13 Sep 2017 15:38:26 +0200
|
||||||
|
|
||||||
|
systemd: More lockdown
|
||||||
|
|
||||||
|
bluetoothd does not need to execute mapped memory, or real-time
|
||||||
|
access, so block those.
|
||||||
|
---
|
||||||
|
src/bluetooth.service.in | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
|
||||||
|
index 4daedef2a..f18801866 100644
|
||||||
|
--- a/src/bluetooth.service.in
|
||||||
|
+++ b/src/bluetooth.service.in
|
||||||
|
@@ -22,9 +22,15 @@ ProtectControlGroups=true
|
||||||
|
ReadWritePaths=@statedir@
|
||||||
|
ReadOnlyPaths=@confdir@
|
||||||
|
|
||||||
|
+# Execute Mappings
|
||||||
|
+MemoryDenyWriteExecute=true
|
||||||
|
+
|
||||||
|
# Privilege escalation
|
||||||
|
NoNewPrivileges=true
|
||||||
|
|
||||||
|
+# Real-time
|
||||||
|
+RestrictRealtime=true
|
||||||
|
+
|
||||||
|
[Install]
|
||||||
|
WantedBy=bluetooth.target
|
||||||
|
Alias=dbus-org.bluez.service
|
||||||
|
--
|
||||||
|
2.21.1
|
||||||
|
|
1085
SPECS/bluez.spec
Normal file
1085
SPECS/bluez.spec
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user