RHEL 9.0.0 Alpha bootstrap
The content of this branch was automatically imported from Fedora ELN with the following as its source: https://src.fedoraproject.org/rpms/bluez#ea45d3989ea6a8eaf21830c923bd9ad62722b6bb
This commit is contained in:
parent
469ec22d7e
commit
3b610b9e61
.gitignore0001-build-Always-define-confdir-and-statedir.patch0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch0003-systemd-Add-more-filesystem-lockdown.patch0004-systemd-More-lockdown.patch69-btattach-bcm.rulesbluez.gitignorebluez.specbtattach-bcm-service.shbtattach-bcm@.servicesources
3
.gitignore
vendored
3
.gitignore
vendored
@ -0,0 +1,3 @@
|
|||||||
|
/bluez-4.*.tar.gz
|
||||||
|
/bluez-5.*.tar.xz
|
||||||
|
/sources
|
35
0001-build-Always-define-confdir-and-statedir.patch
Normal file
35
0001-build-Always-define-confdir-and-statedir.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
From 5744f79d84ecee3929a682166034c5bbc36c0ef5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Bastien Nocera <hadess@hadess.net>
|
||||||
|
Date: Wed, 20 Sep 2017 12:49:10 +0200
|
||||||
|
Subject: [PATCH 1/4] build: Always define confdir and statedir
|
||||||
|
|
||||||
|
As we will need those paths to lock down on them.
|
||||||
|
---
|
||||||
|
Makefile.am | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index 9d25a815b..ac88c12e0 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -31,14 +31,14 @@ pkginclude_HEADERS =
|
||||||
|
AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) $(UDEV_CFLAGS) $(ell_cflags)
|
||||||
|
AM_LDFLAGS = $(MISC_LDFLAGS)
|
||||||
|
|
||||||
|
+confdir = $(sysconfdir)/bluetooth
|
||||||
|
+statedir = $(localstatedir)/lib/bluetooth
|
||||||
|
+
|
||||||
|
if DATAFILES
|
||||||
|
dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
|
||||||
|
dbus_DATA = src/bluetooth.conf
|
||||||
|
|
||||||
|
-confdir = $(sysconfdir)/bluetooth
|
||||||
|
conf_DATA =
|
||||||
|
-
|
||||||
|
-statedir = $(localstatedir)/lib/bluetooth
|
||||||
|
state_DATA =
|
||||||
|
endif
|
||||||
|
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
38
0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
Normal file
38
0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
From 90b72b787a6ae6b9b0bf8ece238e108e8607a433 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Bastien Nocera <hadess@hadess.net>
|
||||||
|
Date: Sat, 9 Nov 2013 18:13:43 +0100
|
||||||
|
Subject: [PATCH 1/2] obex: Use GLib helper function to manipulate paths
|
||||||
|
|
||||||
|
Instead of trying to do it by hand. This also makes sure that
|
||||||
|
relative paths aren't used by the agent.
|
||||||
|
---
|
||||||
|
obexd/src/manager.c | 10 +++++-----
|
||||||
|
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/obexd/src/manager.c b/obexd/src/manager.c
|
||||||
|
index f84384ae4..285c07c37 100644
|
||||||
|
--- a/obexd/src/manager.c
|
||||||
|
+++ b/obexd/src/manager.c
|
||||||
|
@@ -650,14 +650,14 @@ static void agent_reply(DBusPendingCall *call, void *user_data)
|
||||||
|
DBUS_TYPE_STRING, &name,
|
||||||
|
DBUS_TYPE_INVALID)) {
|
||||||
|
/* Splits folder and name */
|
||||||
|
- const char *slash = strrchr(name, '/');
|
||||||
|
+ gboolean is_relative = !g_path_is_absolute(name);
|
||||||
|
DBG("Agent replied with %s", name);
|
||||||
|
- if (!slash) {
|
||||||
|
- agent->new_name = g_strdup(name);
|
||||||
|
+ if (is_relative) {
|
||||||
|
+ agent->new_name = g_path_get_basename(name);
|
||||||
|
agent->new_folder = NULL;
|
||||||
|
} else {
|
||||||
|
- agent->new_name = g_strdup(slash + 1);
|
||||||
|
- agent->new_folder = g_strndup(name, slash - name);
|
||||||
|
+ agent->new_name = g_path_get_basename(name);
|
||||||
|
+ agent->new_folder = g_path_get_dirname(name);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.14.1
|
||||||
|
|
@ -0,0 +1,38 @@
|
|||||||
|
From 36a44fc05feebe1aab16c33a1121f952986b2801 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Craig Andrews <candrews@integralblue.com>
|
||||||
|
Date: Wed, 13 Sep 2017 15:23:09 +0200
|
||||||
|
Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
|
||||||
|
|
||||||
|
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
|
||||||
|
namespace. This is useful to secure access to temporary files of the
|
||||||
|
process.
|
||||||
|
|
||||||
|
NoNewPrivileges ensures that service process and all its children
|
||||||
|
can never gain new privileges through execve(), lowering the risk of
|
||||||
|
possible privilege escalations.
|
||||||
|
---
|
||||||
|
src/bluetooth.service.in | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
|
||||||
|
index f9faaa452..7c2f60bb4 100644
|
||||||
|
--- a/src/bluetooth.service.in
|
||||||
|
+++ b/src/bluetooth.service.in
|
||||||
|
@@ -12,8 +12,14 @@ NotifyAccess=main
|
||||||
|
#Restart=on-failure
|
||||||
|
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
|
||||||
|
LimitNPROC=1
|
||||||
|
+
|
||||||
|
+# Filesystem lockdown
|
||||||
|
ProtectHome=true
|
||||||
|
ProtectSystem=full
|
||||||
|
+PrivateTmp=true
|
||||||
|
+
|
||||||
|
+# Privilege escalation
|
||||||
|
+NoNewPrivileges=true
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=bluetooth.target
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
44
0003-systemd-Add-more-filesystem-lockdown.patch
Normal file
44
0003-systemd-Add-more-filesystem-lockdown.patch
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
From 13a348670fef0047555395ce6977e86e0005f8bd Mon Sep 17 00:00:00 2001
|
||||||
|
From: Bastien Nocera <hadess@hadess.net>
|
||||||
|
Date: Wed, 13 Sep 2017 15:37:11 +0200
|
||||||
|
Subject: [PATCH 3/4] systemd: Add more filesystem lockdown
|
||||||
|
|
||||||
|
We can only access the configuration file as read-only and read-write
|
||||||
|
to the Bluetooth cache directory and sub-directories.
|
||||||
|
---
|
||||||
|
Makefile.am | 3 +++
|
||||||
|
src/bluetooth.service.in | 4 ++++
|
||||||
|
2 files changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index ac88c12e0..0a6d09847 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -562,6 +562,9 @@ MAINTAINERCLEANFILES = Makefile.in \
|
||||||
|
|
||||||
|
SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
|
||||||
|
$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
|
||||||
|
+ -e 's,@libexecdir\@,$(libexecdir),g' \
|
||||||
|
+ -e 's,@statedir\@,$(statedir),g' \
|
||||||
|
+ -e 's,@confdir\@,$(confdir),g' \
|
||||||
|
< $< > $@
|
||||||
|
|
||||||
|
%.service: %.service.in Makefile
|
||||||
|
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
|
||||||
|
index 7c2f60bb4..4daedef2a 100644
|
||||||
|
--- a/src/bluetooth.service.in
|
||||||
|
+++ b/src/bluetooth.service.in
|
||||||
|
@@ -17,6 +17,10 @@ LimitNPROC=1
|
||||||
|
ProtectHome=true
|
||||||
|
ProtectSystem=full
|
||||||
|
PrivateTmp=true
|
||||||
|
+ProtectKernelTunables=true
|
||||||
|
+ProtectControlGroups=true
|
||||||
|
+ReadWritePaths=@statedir@
|
||||||
|
+ReadOnlyPaths=@confdir@
|
||||||
|
|
||||||
|
# Privilege escalation
|
||||||
|
NoNewPrivileges=true
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
34
0004-systemd-More-lockdown.patch
Normal file
34
0004-systemd-More-lockdown.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
From a6963e0402695d7b6a89c1b1c75c40dbd8fcde52 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Bastien Nocera <hadess@hadess.net>
|
||||||
|
Date: Wed, 13 Sep 2017 15:38:26 +0200
|
||||||
|
Subject: [PATCH 4/4] systemd: More lockdown
|
||||||
|
|
||||||
|
bluetoothd does not need to execute mapped memory, or real-time
|
||||||
|
access, so block those.
|
||||||
|
---
|
||||||
|
src/bluetooth.service.in | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
|
||||||
|
index 4daedef2a..f18801866 100644
|
||||||
|
--- a/src/bluetooth.service.in
|
||||||
|
+++ b/src/bluetooth.service.in
|
||||||
|
@@ -22,9 +22,15 @@ ProtectControlGroups=true
|
||||||
|
ReadWritePaths=@statedir@
|
||||||
|
ReadOnlyPaths=@confdir@
|
||||||
|
|
||||||
|
+# Execute Mappings
|
||||||
|
+MemoryDenyWriteExecute=true
|
||||||
|
+
|
||||||
|
# Privilege escalation
|
||||||
|
NoNewPrivileges=true
|
||||||
|
|
||||||
|
+# Real-time
|
||||||
|
+RestrictRealtime=true
|
||||||
|
+
|
||||||
|
[Install]
|
||||||
|
WantedBy=bluetooth.target
|
||||||
|
Alias=dbus-org.bluez.service
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
33
69-btattach-bcm.rules
Normal file
33
69-btattach-bcm.rules
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
# Some devices have a bluetooth HCI connected to an uart, these needs to be
|
||||||
|
# setup by calling btattach. The systemd btattach-bcm.service takes care of
|
||||||
|
# this. These udev rules hardware-activate that service when necessary.
|
||||||
|
#
|
||||||
|
# For now this only suports ACPI enumerated Broadcom BT HCIs.
|
||||||
|
# This has been tested on Bay and Cherry Trail devices with both ACPI and
|
||||||
|
# PCI enumerated UARTs.
|
||||||
|
|
||||||
|
# Note we check for the platform device not for the acpi device, because
|
||||||
|
# some DSDTs list multiple bluetooth adapters, but only some (or none)
|
||||||
|
# are enabled. Only enabled adapters get a platform device created.
|
||||||
|
ACTION!="add", GOTO="btattach_bcm_rules_end"
|
||||||
|
SUBSYSTEM!="platform", GOTO="btattach_bcm_rules_end"
|
||||||
|
|
||||||
|
KERNEL=="BCM2E1A:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||||
|
KERNEL=="BCM2E39:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||||
|
KERNEL=="BCM2E3A:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||||
|
KERNEL=="BCM2E3D:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||||
|
KERNEL=="BCM2E3F:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||||
|
KERNEL=="BCM2E40:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||||
|
KERNEL=="BCM2E54:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||||
|
KERNEL=="BCM2E55:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||||
|
KERNEL=="BCM2E64:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||||
|
KERNEL=="BCM2E65:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||||
|
KERNEL=="BCM2E67:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||||
|
KERNEL=="BCM2E71:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||||
|
KERNEL=="BCM2E7B:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||||
|
KERNEL=="BCM2E7C:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||||
|
KERNEL=="BCM2E7E:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||||
|
KERNEL=="BCM2E95:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||||
|
KERNEL=="BCM2E96:00", TAG+="systemd", ENV{SYSTEMD_WANTS}="btattach-bcm@%k.service"
|
||||||
|
|
||||||
|
LABEL="btattach_bcm_rules_end"
|
100
bluez.gitignore
Normal file
100
bluez.gitignore
Normal file
@ -0,0 +1,100 @@
|
|||||||
|
*.o
|
||||||
|
*.a
|
||||||
|
*.lo
|
||||||
|
*.la
|
||||||
|
*.so
|
||||||
|
.deps
|
||||||
|
.libs
|
||||||
|
.dirstamp
|
||||||
|
Makefile
|
||||||
|
Makefile.in
|
||||||
|
aclocal.m4
|
||||||
|
config.guess
|
||||||
|
config.h
|
||||||
|
config.h.in
|
||||||
|
config.log
|
||||||
|
config.status
|
||||||
|
config.sub
|
||||||
|
configure
|
||||||
|
depcomp
|
||||||
|
compile
|
||||||
|
install-sh
|
||||||
|
libtool
|
||||||
|
ltmain.sh
|
||||||
|
missing
|
||||||
|
stamp-h1
|
||||||
|
autom4te.cache
|
||||||
|
|
||||||
|
ylwrap
|
||||||
|
lexer.c
|
||||||
|
parser.h
|
||||||
|
parser.c
|
||||||
|
|
||||||
|
bluez.pc
|
||||||
|
lib/bluetooth
|
||||||
|
src/builtin.h
|
||||||
|
src/bluetoothd
|
||||||
|
audio/telephony.c
|
||||||
|
sap/sap.c
|
||||||
|
scripts/bluetooth.rules
|
||||||
|
scripts/97-bluetooth.rules
|
||||||
|
scripts/97-bluetooth-hid2hci.rules
|
||||||
|
|
||||||
|
sbc/sbcdec
|
||||||
|
sbc/sbcenc
|
||||||
|
sbc/sbcinfo
|
||||||
|
sbc/sbctester
|
||||||
|
|
||||||
|
attrib/gatttool
|
||||||
|
tools/avctrl
|
||||||
|
tools/avinfo
|
||||||
|
tools/bccmd
|
||||||
|
tools/ciptool
|
||||||
|
tools/dfubabel
|
||||||
|
tools/dfutool
|
||||||
|
tools/hciattach
|
||||||
|
tools/hciconfig
|
||||||
|
tools/hcieventmask
|
||||||
|
tools/hcisecfilter
|
||||||
|
tools/hcitool
|
||||||
|
tools/hid2hci
|
||||||
|
tools/rfcomm
|
||||||
|
tools/l2ping
|
||||||
|
tools/ppporc
|
||||||
|
tools/sdptool
|
||||||
|
cups/bluetooth
|
||||||
|
test/agent
|
||||||
|
test/bdaddr
|
||||||
|
test/hciemu
|
||||||
|
test/attest
|
||||||
|
test/hstest
|
||||||
|
test/avtest
|
||||||
|
test/l2test
|
||||||
|
test/rctest
|
||||||
|
test/scotest
|
||||||
|
test/gaptest
|
||||||
|
test/sdptest
|
||||||
|
test/lmptest
|
||||||
|
test/ipctest
|
||||||
|
test/btiotest
|
||||||
|
test/test-textfile
|
||||||
|
test/uuidtest
|
||||||
|
test/mpris-player
|
||||||
|
compat/dund
|
||||||
|
compat/hidd
|
||||||
|
compat/pand
|
||||||
|
unit/test-eir
|
||||||
|
mgmt/btmgmt
|
||||||
|
monitor/btmon
|
||||||
|
emulator/btvirt
|
||||||
|
|
||||||
|
doc/*.bak
|
||||||
|
doc/*.stamp
|
||||||
|
doc/bluez.*
|
||||||
|
doc/bluez-*.txt
|
||||||
|
doc/*.sgml
|
||||||
|
doc/version.xml
|
||||||
|
doc/xml
|
||||||
|
doc/html
|
||||||
|
src/bluetoothd.8
|
||||||
|
src/bluetooth.service
|
1182
bluez.spec
Normal file
1182
bluez.spec
Normal file
File diff suppressed because it is too large
Load Diff
30
btattach-bcm-service.sh
Normal file
30
btattach-bcm-service.sh
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Simple shell script to wait for the tty for an uart using BT HCI to show up
|
||||||
|
# and then invoke btattach with the right parameters, this is intended to be
|
||||||
|
# invoked from a hardware-activated systemd service
|
||||||
|
#
|
||||||
|
# For now this only suports ACPI enumerated Broadcom BT HCIs.
|
||||||
|
# This has been tested on Bay and Cherry Trail devices with both ACPI and
|
||||||
|
# PCI enumerated UARTs.
|
||||||
|
#
|
||||||
|
# Note the kernel bt developers are working on solving this entirely in the
|
||||||
|
# kernel, so it is not worth the trouble to write something better then this.
|
||||||
|
|
||||||
|
BT_DEV="/sys/bus/platform/devices/$1"
|
||||||
|
BT_DEV="$(readlink -f $BT_DEV)"
|
||||||
|
UART_DEV="$(dirname $BT_DEV)"
|
||||||
|
|
||||||
|
# Stupid GPD-pocket has USB BT with id 0000:0000, but still claims to have
|
||||||
|
# an uart attached bt
|
||||||
|
if [ "$1" = "BCM2E7E:00" ] && lsusb | grep -q "ID 0000:0000"; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
while [ ! -d "$UART_DEV/tty" ]; do
|
||||||
|
sleep .2
|
||||||
|
done
|
||||||
|
|
||||||
|
TTY="$(ls $UART_DEV/tty)"
|
||||||
|
|
||||||
|
exec btattach --bredr "/dev/$TTY" -P bcm
|
6
btattach-bcm@.service
Normal file
6
btattach-bcm@.service
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=btattach for Broadcom devices
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
ExecStart=/usr/libexec/bluetooth/btattach-bcm-service.sh %I
|
Loading…
Reference in New Issue
Block a user