RHEL 9.0.0 Alpha bootstrap
The content of this branch was automatically imported from Fedora ELN with the following as its source: https://src.fedoraproject.org/rpms/bluez#ea45d3989ea6a8eaf21830c923bd9ad62722b6bb
This commit is contained in:
parent
469ec22d7e
commit
3b610b9e61
3
.gitignore
vendored
3
.gitignore
vendored
@ -0,0 +1,3 @@
|
||||
/bluez-4.*.tar.gz
|
||||
/bluez-5.*.tar.xz
|
||||
/sources
|
35
0001-build-Always-define-confdir-and-statedir.patch
Normal file
35
0001-build-Always-define-confdir-and-statedir.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 5744f79d84ecee3929a682166034c5bbc36c0ef5 Mon Sep 17 00:00:00 2001
|
||||
From: Bastien Nocera <hadess@hadess.net>
|
||||
Date: Wed, 20 Sep 2017 12:49:10 +0200
|
||||
Subject: [PATCH 1/4] build: Always define confdir and statedir
|
||||
|
||||
As we will need those paths to lock down on them.
|
||||
---
|
||||
Makefile.am | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 9d25a815b..ac88c12e0 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -31,14 +31,14 @@ pkginclude_HEADERS =
|
||||
AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) $(UDEV_CFLAGS) $(ell_cflags)
|
||||
AM_LDFLAGS = $(MISC_LDFLAGS)
|
||||
|
||||
+confdir = $(sysconfdir)/bluetooth
|
||||
+statedir = $(localstatedir)/lib/bluetooth
|
||||
+
|
||||
if DATAFILES
|
||||
dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
|
||||
dbus_DATA = src/bluetooth.conf
|
||||
|
||||
-confdir = $(sysconfdir)/bluetooth
|
||||
conf_DATA =
|
||||
-
|
||||
-statedir = $(localstatedir)/lib/bluetooth
|
||||
state_DATA =
|
||||
endif
|
||||
|
||||
--
|
||||
2.21.0
|
||||
|
38
0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
Normal file
38
0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 90b72b787a6ae6b9b0bf8ece238e108e8607a433 Mon Sep 17 00:00:00 2001
|
||||
From: Bastien Nocera <hadess@hadess.net>
|
||||
Date: Sat, 9 Nov 2013 18:13:43 +0100
|
||||
Subject: [PATCH 1/2] obex: Use GLib helper function to manipulate paths
|
||||
|
||||
Instead of trying to do it by hand. This also makes sure that
|
||||
relative paths aren't used by the agent.
|
||||
---
|
||||
obexd/src/manager.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/obexd/src/manager.c b/obexd/src/manager.c
|
||||
index f84384ae4..285c07c37 100644
|
||||
--- a/obexd/src/manager.c
|
||||
+++ b/obexd/src/manager.c
|
||||
@@ -650,14 +650,14 @@ static void agent_reply(DBusPendingCall *call, void *user_data)
|
||||
DBUS_TYPE_STRING, &name,
|
||||
DBUS_TYPE_INVALID)) {
|
||||
/* Splits folder and name */
|
||||
- const char *slash = strrchr(name, '/');
|
||||
+ gboolean is_relative = !g_path_is_absolute(name);
|
||||
DBG("Agent replied with %s", name);
|
||||
- if (!slash) {
|
||||
- agent->new_name = g_strdup(name);
|
||||
+ if (is_relative) {
|
||||
+ agent->new_name = g_path_get_basename(name);
|
||||
agent->new_folder = NULL;
|
||||
} else {
|
||||
- agent->new_name = g_strdup(slash + 1);
|
||||
- agent->new_folder = g_strndup(name, slash - name);
|
||||
+ agent->new_name = g_path_get_basename(name);
|
||||
+ agent->new_folder = g_path_get_dirname(name);
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.14.1
|
||||
|
@ -0,0 +1,38 @@
|
||||
From 36a44fc05feebe1aab16c33a1121f952986b2801 Mon Sep 17 00:00:00 2001
|
||||
From: Craig Andrews <candrews@integralblue.com>
|
||||
Date: Wed, 13 Sep 2017 15:23:09 +0200
|
||||
Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
|
||||
|
||||
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
|
||||
namespace. This is useful to secure access to temporary files of the
|
||||
process.
|
||||
|
||||
NoNewPrivileges ensures that service process and all its children
|
||||
can never gain new privileges through execve(), lowering the risk of
|
||||
possible privilege escalations.
|
||||
---
|
||||
src/bluetooth.service.in | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
|
||||
index f9faaa452..7c2f60bb4 100644
|
||||
--- a/src/bluetooth.service.in
|
||||
+++ b/src/bluetooth.service.in
|
||||
@@ -12,8 +12,14 @@ NotifyAccess=main
|
||||
#Restart=on-failure
|
||||
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
|
||||
LimitNPROC=1
|
||||
+
|
||||
+# Filesystem lockdown
|
||||
ProtectHome=true
|
||||
ProtectSystem=full
|
||||
+PrivateTmp=true
|
||||
+
|
||||
+# Privilege escalation
|
||||
+NoNewPrivileges=true
|
||||
|
||||
[Install]
|
||||
WantedBy=bluetooth.target
|
||||
--
|
||||
2.21.0
|
||||
|
44
0003-systemd-Add-more-filesystem-lockdown.patch
Normal file
44
0003-systemd-Add-more-filesystem-lockdown.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From 13a348670fef0047555395ce6977e86e0005f8bd Mon Sep 17 00:00:00 2001
|
||||
From: Bastien Nocera <hadess@hadess.net>
|
||||
Date: Wed, 13 Sep 2017 15:37:11 +0200
|
||||
Subject: [PATCH 3/4] systemd: Add more filesystem lockdown
|
||||
|
||||
We can only access the configuration file as read-only and read-write
|
||||
to the Bluetooth cache directory and sub-directories.
|
||||
---
|
||||
Makefile.am | 3 +++
|
||||
src/bluetooth.service.in | 4 ++++
|
||||
2 files changed, 7 insertions(+)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index ac88c12e0..0a6d09847 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -562,6 +562,9 @@ MAINTAINERCLEANFILES = Makefile.in \
|
||||
|
||||
SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
|
||||
$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
|
||||
+ -e 's,@libexecdir\@,$(libexecdir),g' \
|
||||
+ -e 's,@statedir\@,$(statedir),g' \
|
||||
+ -e 's,@confdir\@,$(confdir),g' \
|
||||
< $< > $@
|
||||
|
||||
%.service: %.service.in Makefile
|
||||
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
|
||||
index 7c2f60bb4..4daedef2a 100644
|
||||
--- a/src/bluetooth.service.in
|
||||
+++ b/src/bluetooth.service.in
|
||||
@@ -17,6 +17,10 @@ LimitNPROC=1
|
||||
ProtectHome=true
|
||||
ProtectSystem=full
|
||||
PrivateTmp=true
|
||||
+ProtectKernelTunables=true
|
||||
+ProtectControlGroups=true
|
||||
+ReadWritePaths=@statedir@
|
||||
+ReadOnlyPaths=@confdir@
|
||||
|
||||
# Privilege escalation
|
||||
NoNewPrivileges=true
|
||||
--
|
||||
2.21.0
|
||||
|
34
0004-systemd-More-lockdown.patch
Normal file
34
0004-systemd-More-lockdown.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From a6963e0402695d7b6a89c1b1c75c40dbd8fcde52 Mon Sep 17 00:00:00 2001
|
||||
From: Bastien Nocera <hadess@hadess.net>
|
||||
Date: Wed, 13 Sep 2017 15:38:26 +0200
|
||||
Subject: [PATCH 4/4] systemd: More lockdown
|
||||
|
||||
bluetoothd does not need to execute mapped memory, or real-time
|
||||
access, so block those.
|
||||
---
|
||||
src/bluetooth.service.in | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
|
||||
index 4daedef2a..f18801866 100644
|
||||
--- a/src/bluetooth.service.in
|
||||
+++ b/src/bluetooth.service.in
|
||||
@@ -22,9 +22,15 @@ ProtectControlGroups=true
|
||||
ReadWritePaths=@statedir@
|
||||
ReadOnlyPaths=@confdir@
|
||||
|
||||
+# Execute Mappings
|
||||
+MemoryDenyWriteExecute=true
|
||||
+
|
||||
# Privilege escalation
|
||||
NoNewPrivileges=true
|
||||
|
||||
+# Real-time
|
||||
+RestrictRealtime=true
|
||||
+
|
||||
[Install]
|
||||
WantedBy=bluetooth.target
|
||||
Alias=dbus-org.bluez.service
|
||||
--
|
||||
2.21.0
|
||||
|
33
69-btattach-bcm.rules
Normal file
33
69-btattach-bcm.rules
Normal file
@ -0,0 +1,33 @@
|
||||
# Some devices have a bluetooth HCI connected to an uart, these needs to be
|
||||
# setup by calling btattach. The systemd btattach-bcm.service takes care of
|
||||
# this. These udev rules hardware-activate that service when necessary.
|
||||
#
|
||||
# For now this only suports ACPI enumerated Broadcom BT HCIs.
|
||||
# This has been tested on Bay and Cherry Trail devices with both ACPI and
|
||||
# PCI enumerated UARTs.
|
||||
|
||||
# Note we check for the platform device not for the acpi device, because
|
||||
# some DSDTs list multiple bluetooth adapters, but only some (or none)
|
||||
# are enabled. Only enabled adapters get a platform device created.
|
||||
ACTION!="add", GOTO="btattach_bcm_rules_end"
|
||||
SUBSYSTEM!="platform", GOTO="btattach_bcm_rules_end"
|
||||
|
||||
KERNEL=="BCM2E1A:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||
KERNEL=="BCM2E39:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||
KERNEL=="BCM2E3A:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||
KERNEL=="BCM2E3D:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||
KERNEL=="BCM2E3F:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||
KERNEL=="BCM2E40:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||
KERNEL=="BCM2E54:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||
KERNEL=="BCM2E55:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||
KERNEL=="BCM2E64:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||
KERNEL=="BCM2E65:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||
KERNEL=="BCM2E67:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||
KERNEL=="BCM2E71:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||
KERNEL=="BCM2E7B:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||
KERNEL=="BCM2E7C:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||
KERNEL=="BCM2E7E:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||
KERNEL=="BCM2E95:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||
KERNEL=="BCM2E96:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||
|
||||
LABEL="btattach_bcm_rules_end"
|
100
bluez.gitignore
Normal file
100
bluez.gitignore
Normal file
@ -0,0 +1,100 @@
|
||||
*.o
|
||||
*.a
|
||||
*.lo
|
||||
*.la
|
||||
*.so
|
||||
.deps
|
||||
.libs
|
||||
.dirstamp
|
||||
Makefile
|
||||
Makefile.in
|
||||
aclocal.m4
|
||||
config.guess
|
||||
config.h
|
||||
config.h.in
|
||||
config.log
|
||||
config.status
|
||||
config.sub
|
||||
configure
|
||||
depcomp
|
||||
compile
|
||||
install-sh
|
||||
libtool
|
||||
ltmain.sh
|
||||
missing
|
||||
stamp-h1
|
||||
autom4te.cache
|
||||
|
||||
ylwrap
|
||||
lexer.c
|
||||
parser.h
|
||||
parser.c
|
||||
|
||||
bluez.pc
|
||||
lib/bluetooth
|
||||
src/builtin.h
|
||||
src/bluetoothd
|
||||
audio/telephony.c
|
||||
sap/sap.c
|
||||
scripts/bluetooth.rules
|
||||
scripts/97-bluetooth.rules
|
||||
scripts/97-bluetooth-hid2hci.rules
|
||||
|
||||
sbc/sbcdec
|
||||
sbc/sbcenc
|
||||
sbc/sbcinfo
|
||||
sbc/sbctester
|
||||
|
||||
attrib/gatttool
|
||||
tools/avctrl
|
||||
tools/avinfo
|
||||
tools/bccmd
|
||||
tools/ciptool
|
||||
tools/dfubabel
|
||||
tools/dfutool
|
||||
tools/hciattach
|
||||
tools/hciconfig
|
||||
tools/hcieventmask
|
||||
tools/hcisecfilter
|
||||
tools/hcitool
|
||||
tools/hid2hci
|
||||
tools/rfcomm
|
||||
tools/l2ping
|
||||
tools/ppporc
|
||||
tools/sdptool
|
||||
cups/bluetooth
|
||||
test/agent
|
||||
test/bdaddr
|
||||
test/hciemu
|
||||
test/attest
|
||||
test/hstest
|
||||
test/avtest
|
||||
test/l2test
|
||||
test/rctest
|
||||
test/scotest
|
||||
test/gaptest
|
||||
test/sdptest
|
||||
test/lmptest
|
||||
test/ipctest
|
||||
test/btiotest
|
||||
test/test-textfile
|
||||
test/uuidtest
|
||||
test/mpris-player
|
||||
compat/dund
|
||||
compat/hidd
|
||||
compat/pand
|
||||
unit/test-eir
|
||||
mgmt/btmgmt
|
||||
monitor/btmon
|
||||
emulator/btvirt
|
||||
|
||||
doc/*.bak
|
||||
doc/*.stamp
|
||||
doc/bluez.*
|
||||
doc/bluez-*.txt
|
||||
doc/*.sgml
|
||||
doc/version.xml
|
||||
doc/xml
|
||||
doc/html
|
||||
src/bluetoothd.8
|
||||
src/bluetooth.service
|
1182
bluez.spec
Normal file
1182
bluez.spec
Normal file
File diff suppressed because it is too large
Load Diff
30
btattach-bcm-service.sh
Normal file
30
btattach-bcm-service.sh
Normal file
@ -0,0 +1,30 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Simple shell script to wait for the tty for an uart using BT HCI to show up
|
||||
# and then invoke btattach with the right parameters, this is intended to be
|
||||
# invoked from a hardware-activated systemd service
|
||||
#
|
||||
# For now this only suports ACPI enumerated Broadcom BT HCIs.
|
||||
# This has been tested on Bay and Cherry Trail devices with both ACPI and
|
||||
# PCI enumerated UARTs.
|
||||
#
|
||||
# Note the kernel bt developers are working on solving this entirely in the
|
||||
# kernel, so it is not worth the trouble to write something better then this.
|
||||
|
||||
BT_DEV="/sys/bus/platform/devices/$1"
|
||||
BT_DEV="$(readlink -f $BT_DEV)"
|
||||
UART_DEV="$(dirname $BT_DEV)"
|
||||
|
||||
# Stupid GPD-pocket has USB BT with id 0000:0000, but still claims to have
|
||||
# an uart attached bt
|
||||
if [ "$1" = "BCM2E7E:00" ] && lsusb | grep -q "ID 0000:0000"; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
while [ ! -d "$UART_DEV/tty" ]; do
|
||||
sleep .2
|
||||
done
|
||||
|
||||
TTY="$(ls $UART_DEV/tty)"
|
||||
|
||||
exec btattach --bredr "/dev/$TTY" -P bcm
|
6
btattach-bcm@.service
Normal file
6
btattach-bcm@.service
Normal file
@ -0,0 +1,6 @@
|
||||
[Unit]
|
||||
Description=btattach for Broadcom devices
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/libexec/bluetooth/btattach-bcm-service.sh %I
|
Loading…
Reference in New Issue
Block a user