RHEL 9.0.0 Alpha bootstrap

The content of this branch was automatically imported from Fedora ELN with the following as its source: https://src.fedoraproject.org/rpms/bluez#ea45d3989ea6a8eaf21830c923bd9ad62722b6bb
2020-10-14 22:21:10 +02:00 · 2020-10-14 22:21:10 +02:00 · 3b610b9e61
parent 469ec22d7e
commit 3b610b9e61
12 changed files with 1544 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,3 @@
+/bluez-4.*.tar.gz
+/bluez-5.*.tar.xz
+/sources
--- a/0001-build-Always-define-confdir-and-statedir.patch
+++ b/0001-build-Always-define-confdir-and-statedir.patch
@ -0,0 +1,35 @@
+From 5744f79d84ecee3929a682166034c5bbc36c0ef5 Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Wed, 20 Sep 2017 12:49:10 +0200
+Subject: [PATCH 1/4] build: Always define confdir and statedir
+
+As we will need those paths to lock down on them.
+---
+ Makefile.am | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 9d25a815b..ac88c12e0 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -31,14 +31,14 @@ pkginclude_HEADERS =
+ AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) $(UDEV_CFLAGS) $(ell_cflags)
+ AM_LDFLAGS = $(MISC_LDFLAGS)
+ 
+confdir = $(sysconfdir)/bluetooth
+statedir = $(localstatedir)/lib/bluetooth
+
+ if DATAFILES
+ dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
+ dbus_DATA = src/bluetooth.conf
+ 
+-confdir = $(sysconfdir)/bluetooth
+ conf_DATA =
+-
+-statedir = $(localstatedir)/lib/bluetooth
+ state_DATA =
+ endif
+ 
+-- 
+2.21.0
+
--- a/0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
+++ b/0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
@ -0,0 +1,38 @@
+From 90b72b787a6ae6b9b0bf8ece238e108e8607a433 Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Sat, 9 Nov 2013 18:13:43 +0100
+Subject: [PATCH 1/2] obex: Use GLib helper function to manipulate paths
+
+Instead of trying to do it by hand. This also makes sure that
+relative paths aren't used by the agent.
+---
+ obexd/src/manager.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/obexd/src/manager.c b/obexd/src/manager.c
+index f84384ae4..285c07c37 100644
+--- a/obexd/src/manager.c
+++ b/obexd/src/manager.c
+@@ -650,14 +650,14 @@ static void agent_reply(DBusPendingCall *call, void *user_data)
+ 				DBUS_TYPE_STRING, &name,
+ 				DBUS_TYPE_INVALID)) {
+ 		/* Splits folder and name */
+-		const char *slash = strrchr(name, '/');
+		gboolean is_relative = !g_path_is_absolute(name);
+ 		DBG("Agent replied with %s", name);
+-		if (!slash) {
+-			agent->new_name = g_strdup(name);
+		if (is_relative) {
+			agent->new_name = g_path_get_basename(name);
+ 			agent->new_folder = NULL;
+ 		} else {
+-			agent->new_name = g_strdup(slash + 1);
+-			agent->new_folder = g_strndup(name, slash - name);
+			agent->new_name = g_path_get_basename(name);
+			agent->new_folder = g_path_get_dirname(name);
+ 		}
+ 	}
+ 
+-- 
+2.14.1
+
--- a/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
+++ b/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
@ -0,0 +1,38 @@
+From 36a44fc05feebe1aab16c33a1121f952986b2801 Mon Sep 17 00:00:00 2001
+From: Craig Andrews <candrews@integralblue.com>
+Date: Wed, 13 Sep 2017 15:23:09 +0200
+Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
+
+PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
+namespace. This is useful to secure access to temporary files of the
+process.
+
+NoNewPrivileges ensures that service process and all its children
+can never gain new privileges through execve(), lowering the risk of
+possible privilege escalations.
+---
+ src/bluetooth.service.in | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
+index f9faaa452..7c2f60bb4 100644
+--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
+@@ -12,8 +12,14 @@ NotifyAccess=main
+ #Restart=on-failure
+ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+ LimitNPROC=1
+
+# Filesystem lockdown
+ ProtectHome=true
+ ProtectSystem=full
+PrivateTmp=true
+
+# Privilege escalation
+NoNewPrivileges=true
+ 
+ [Install]
+ WantedBy=bluetooth.target
+-- 
+2.21.0
+
--- a/0003-systemd-Add-more-filesystem-lockdown.patch
+++ b/0003-systemd-Add-more-filesystem-lockdown.patch
@ -0,0 +1,44 @@
+From 13a348670fef0047555395ce6977e86e0005f8bd Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Wed, 13 Sep 2017 15:37:11 +0200
+Subject: [PATCH 3/4] systemd: Add more filesystem lockdown
+
+We can only access the configuration file as read-only and read-write
+to the Bluetooth cache directory and sub-directories.
+---
+ Makefile.am              | 3 +++
+ src/bluetooth.service.in | 4 ++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/Makefile.am b/Makefile.am
+index ac88c12e0..0a6d09847 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -562,6 +562,9 @@ MAINTAINERCLEANFILES = Makefile.in \
+ 
+ SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
+ 		$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
+		       -e 's,@libexecdir\@,$(libexecdir),g' \
+		       -e 's,@statedir\@,$(statedir),g' \
+		       -e 's,@confdir\@,$(confdir),g' \
+ 		< $< > $@
+ 
+ %.service: %.service.in Makefile
+diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
+index 7c2f60bb4..4daedef2a 100644
+--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
+@@ -17,6 +17,10 @@ LimitNPROC=1
+ ProtectHome=true
+ ProtectSystem=full
+ PrivateTmp=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ReadWritePaths=@statedir@
+ReadOnlyPaths=@confdir@
+ 
+ # Privilege escalation
+ NoNewPrivileges=true
+-- 
+2.21.0
+
--- a/0004-systemd-More-lockdown.patch
+++ b/0004-systemd-More-lockdown.patch
@ -0,0 +1,34 @@
+From a6963e0402695d7b6a89c1b1c75c40dbd8fcde52 Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Wed, 13 Sep 2017 15:38:26 +0200
+Subject: [PATCH 4/4] systemd: More lockdown
+
+bluetoothd does not need to execute mapped memory, or real-time
+access, so block those.
+---
+ src/bluetooth.service.in | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
+index 4daedef2a..f18801866 100644
+--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
+@@ -22,9 +22,15 @@ ProtectControlGroups=true
+ ReadWritePaths=@statedir@
+ ReadOnlyPaths=@confdir@
+ 
+# Execute Mappings
+MemoryDenyWriteExecute=true
+
+ # Privilege escalation
+ NoNewPrivileges=true
+ 
+# Real-time
+RestrictRealtime=true
+
+ [Install]
+ WantedBy=bluetooth.target
+ Alias=dbus-org.bluez.service
+-- 
+2.21.0
+
--- a/69-btattach-bcm.rules
+++ b/69-btattach-bcm.rules
@ -0,0 +1,33 @@
+# Some devices have a bluetooth HCI connected to an uart, these needs to be
+# setup by calling btattach. The systemd btattach-bcm.service takes care of
+# this. These udev rules hardware-activate that service when necessary.
+#
+# For now this only suports ACPI enumerated Broadcom BT HCIs.
+# This has been tested on Bay and Cherry Trail devices with both ACPI and
+# PCI enumerated UARTs.
+
+# Note we check for the platform device not for the acpi device, because
+# some DSDTs list multiple bluetooth adapters, but only some (or none)
+# are enabled. Only enabled adapters get a platform device created.
+ACTION!="add", GOTO="btattach_bcm_rules_end"
+SUBSYSTEM!="platform", GOTO="btattach_bcm_rules_end"
+
+KERNEL=="BCM2E1A:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
+KERNEL=="BCM2E39:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
+KERNEL=="BCM2E3A:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
+KERNEL=="BCM2E3D:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
+KERNEL=="BCM2E3F:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
+KERNEL=="BCM2E40:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
+KERNEL=="BCM2E54:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
+KERNEL=="BCM2E55:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
+KERNEL=="BCM2E64:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
+KERNEL=="BCM2E65:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
+KERNEL=="BCM2E67:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
+KERNEL=="BCM2E71:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
+KERNEL=="BCM2E7B:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
+KERNEL=="BCM2E7C:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
+KERNEL=="BCM2E7E:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
+KERNEL=="BCM2E95:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
+KERNEL=="BCM2E96:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
+
+LABEL="btattach_bcm_rules_end"
--- a/bluez.gitignore
+++ b/bluez.gitignore
@ -0,0 +1,100 @@
+*.o
+*.a
+*.lo
+*.la
+*.so
+.deps
+.libs
+.dirstamp
+Makefile
+Makefile.in
+aclocal.m4
+config.guess
+config.h
+config.h.in
+config.log
+config.status
+config.sub
+configure
+depcomp
+compile
+install-sh
+libtool
+ltmain.sh
+missing
+stamp-h1
+autom4te.cache
+
+ylwrap
+lexer.c
+parser.h
+parser.c
+
+bluez.pc
+lib/bluetooth
+src/builtin.h
+src/bluetoothd
+audio/telephony.c
+sap/sap.c
+scripts/bluetooth.rules
+scripts/97-bluetooth.rules
+scripts/97-bluetooth-hid2hci.rules
+
+sbc/sbcdec
+sbc/sbcenc
+sbc/sbcinfo
+sbc/sbctester
+
+attrib/gatttool
+tools/avctrl
+tools/avinfo
+tools/bccmd
+tools/ciptool
+tools/dfubabel
+tools/dfutool
+tools/hciattach
+tools/hciconfig
+tools/hcieventmask
+tools/hcisecfilter
+tools/hcitool
+tools/hid2hci
+tools/rfcomm
+tools/l2ping
+tools/ppporc
+tools/sdptool
+cups/bluetooth
+test/agent
+test/bdaddr
+test/hciemu
+test/attest
+test/hstest
+test/avtest
+test/l2test
+test/rctest
+test/scotest
+test/gaptest
+test/sdptest
+test/lmptest
+test/ipctest
+test/btiotest
+test/test-textfile
+test/uuidtest
+test/mpris-player
+compat/dund
+compat/hidd
+compat/pand
+unit/test-eir
+mgmt/btmgmt
+monitor/btmon
+emulator/btvirt
+
+doc/*.bak
+doc/*.stamp
+doc/bluez.*
+doc/bluez-*.txt
+doc/*.sgml
+doc/version.xml
+doc/xml
+doc/html
+src/bluetoothd.8
+src/bluetooth.service
--- a/bluez.spec
+++ b/bluez.spec
--- a/btattach-bcm-service.sh
+++ b/btattach-bcm-service.sh
@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Simple shell script to wait for the tty for an uart using BT HCI to show up
+# and then invoke btattach with the right parameters, this is intended to be
+# invoked from a hardware-activated systemd service
+#
+# For now this only suports ACPI enumerated Broadcom BT HCIs.
+# This has been tested on Bay and Cherry Trail devices with both ACPI and
+# PCI enumerated UARTs.
+#
+# Note the kernel bt developers are working on solving this entirely in the
+# kernel, so it is not worth the trouble to write something better then this.
+
+BT_DEV="/sys/bus/platform/devices/$1"
+BT_DEV="$(readlink -f $BT_DEV)"
+UART_DEV="$(dirname $BT_DEV)"
+
+# Stupid GPD-pocket has USB BT with id 0000:0000, but still claims to have
+# an uart attached bt
+if [ "$1" = "BCM2E7E:00" ] && lsusb | grep -q "ID 0000:0000"; then
+	exit 0
+fi
+
+while [ ! -d "$UART_DEV/tty" ]; do
+	sleep .2
+done
+
+TTY="$(ls $UART_DEV/tty)"
+
+exec btattach --bredr "/dev/$TTY" -P bcm
--- a/btattach-bcm@.service
+++ b/btattach-bcm@.service
@ -0,0 +1,6 @@
+[Unit]
+Description=btattach for Broadcom devices
+
+[Service]
+Type=simple
+ExecStart=/usr/libexec/bluetooth/btattach-bcm-service.sh %I
--- a/1
+++ b/1
@ -0,0 +1 @@
+SHA512 (bluez-5.55.tar.xz) = 9423cb60d15a6f068838497a1eaea9f5a32d70c07191c313ba821a6919d6e0c436ada4f547cc5f2db5eacc0123429ad54851f57df2554f61fa293743ec14a033
				`@ -0,0 +1 @@`
				`SHA512 (bluez-5.55.tar.xz) = 9423cb60d15a6f068838497a1eaea9f5a32d70c07191c313ba821a6919d6e0c436ada4f547cc5f2db5eacc0123429ad54851f57df2554f61fa293743ec14a033`