+ bluez-5.47-2

Lockdown Bluetooth systemd service

0001-build-Always-define-confdir-and-statedir.patch

@@ -0,0 +1,35 @@
+From 69d2e7bebb79f500179298c6c51fafbc217df6c8 Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Wed, 20 Sep 2017 12:49:10 +0200
+Subject: [PATCH 1/4] build: Always define confdir and statedir
+
+As we will need those paths to lock down on them.
+---
+ Makefile.am | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 555f301ca..1c38d94e5 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -30,14 +30,14 @@ include_HEADERS =
+ AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS)
+ AM_LDFLAGS = $(MISC_LDFLAGS)
+ 
++confdir = $(sysconfdir)/bluetooth
++statedir = $(localstatedir)/lib/bluetooth
++
+ if DATAFILES
+ dbusdir = @DBUS_CONFDIR@/dbus-1/system.d
+ dbus_DATA = src/bluetooth.conf
+ 
+-confdir = $(sysconfdir)/bluetooth
+ conf_DATA =
+-
+-statedir = $(localstatedir)/lib/bluetooth
+ state_DATA =
+ endif
+ 
+-- 
+2.14.1
+

0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch

@@ -0,0 +1,38 @@
+From 4570164f0c90603bd07eb9e7c07e17bbafb5b5da Mon Sep 17 00:00:00 2001
+From: Craig Andrews <candrews@integralblue.com>
+Date: Wed, 13 Sep 2017 15:23:09 +0200
+Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
+
+PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
+namespace. This is useful to secure access to temporary files of the
+process.
+
+NoNewPrivileges ensures that service process and all its children
+can never gain new privileges through execve(), lowering the risk of
+possible privilege escalations.
+---
+ src/bluetooth.service.in | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
+index f799f65f0..a6f3030f9 100644
+--- a/src/bluetooth.service.in
++++ b/src/bluetooth.service.in
+@@ -12,8 +12,14 @@ NotifyAccess=main
+ #Restart=on-failure
+ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+ LimitNPROC=1
++
++# Filesystem lockdown
+ ProtectHome=true
+ ProtectSystem=full
++PrivateTmp=true
++
++# Privilege escalation
++NoNewPrivileges=true
+ 
+ [Install]
+ WantedBy=bluetooth.target
+-- 
+2.14.1
+

0003-systemd-Add-more-filesystem-lockdown.patch

@@ -0,0 +1,43 @@
+From 73a9c0902e7c97adf96e735407a75033152c04a9 Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Wed, 13 Sep 2017 15:37:11 +0200
+Subject: [PATCH 3/4] systemd: Add more filesystem lockdown
+
+We can only access the configuration file as read-only and read-write
+to the Bluetooth cache directory and sub-directories.
+---
+ Makefile.am              | 2 ++
+ src/bluetooth.service.in | 4 ++++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/Makefile.am b/Makefile.am
+index 1c38d94e5..13ccf9079 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -478,6 +478,8 @@ MAINTAINERCLEANFILES = Makefile.in \
+ 
+ SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
+ 		$(SED) -e 's,@libexecdir\@,$(libexecdir),g' \
++		       -e 's,@statedir\@,$(statedir),g' \
++		       -e 's,@confdir\@,$(confdir),g' \
+ 		< $< > $@
+ 
+ %.service: %.service.in Makefile
+diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
+index a6f3030f9..7e55b5043 100644
+--- a/src/bluetooth.service.in
++++ b/src/bluetooth.service.in
+@@ -17,6 +17,10 @@ LimitNPROC=1
+ ProtectHome=true
+ ProtectSystem=full
+ PrivateTmp=true
++ProtectKernelTunables=true
++ProtectControlGroups=true
++ReadWritePaths=@statedir@
++ReadOnlyPaths=@confdir@
+ 
+ # Privilege escalation
+ NoNewPrivileges=true
+-- 
+2.14.1
+

0004-systemd-More-lockdown.patch

@@ -0,0 +1,34 @@
+From 171d812218883281fed57b57fafd5c18eac441ac Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Wed, 13 Sep 2017 15:38:26 +0200
+Subject: [PATCH 4/4] systemd: More lockdown
+
+bluetoothd does not need to execute mapped memory, or real-time
+access, so block those.
+---
+ src/bluetooth.service.in | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
+index 7e55b5043..e8267b338 100644
+--- a/src/bluetooth.service.in
++++ b/src/bluetooth.service.in
+@@ -22,9 +22,15 @@ ProtectControlGroups=true
+ ReadWritePaths=@statedir@
+ ReadOnlyPaths=@confdir@
+ 
++# Execute Mappings
++MemoryDenyWriteExecute=true
++
+ # Privilege escalation
+ NoNewPrivileges=true
+ 
++# Real-time
++RestrictRealtime=true
++
+ [Install]
+ WantedBy=bluetooth.target
+ Alias=dbus-org.bluez.service
+-- 
+2.14.1
+

bluez.spec

@@ -1,7 +1,7 @@
 Name:    bluez
 Summary: Bluetooth utilities
 Version: 5.47
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 URL:     http://www.bluez.org/
 
@@ -37,6 +37,12 @@ Patch107: 0007-plugins-sixaxis-Rename-sixaxis-specific-functions.patch
 Patch108: 0008-plugins-sixaxis-Add-support-for-DualShock-4-PS4-cabl.patch
 Patch109: 0009-plugins-sixaxis-Cancel-cable-pairing-if-unplugged.patch
 
+# https://github.com/hadess/bluez/commits/systemd-hardening
+Patch120: 0001-build-Always-define-confdir-and-statedir.patch
+Patch121: 0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
+Patch122: 0003-systemd-Add-more-filesystem-lockdown.patch
+Patch123: 0004-systemd-More-lockdown.patch
+
 BuildRequires: git-core
 BuildRequires: dbus-devel >= 1.6
 BuildRequires: glib2-devel
@@ -266,6 +272,10 @@ install -D -p -m0755 %{SOURCE4} ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/
 %{_userunitdir}/obex.service
 
 %changelog
+* Wed Sep 20 2017 Bastien Nocera <bnocera@redhat.com> - 5.47-2
++ bluez-5.47-2
+- Lockdown Bluetooth systemd service
+
 * Thu Sep 14 2017 Peter Robinson <pbrobinson@fedoraproject.org> 5.47-1
 - New upstream 5.47 bugfix release
 - Initial support for Bluetooth LE mesh