!9 update to 5.54

Merge pull request !9 from orange-snn/master

0001-build-Always-define-confdir-and-statedir.patch

@@ -1,4 +1,4 @@
-From 69d2e7bebb79f500179298c6c51fafbc217df6c8 Mon Sep 17 00:00:00 2001
+From 5744f79d84ecee3929a682166034c5bbc36c0ef5 Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 20 Sep 2017 12:49:10 +0200
 Subject: [PATCH 1/4] build: Always define confdir and statedir
@@ -9,18 +9,18 @@ As we will need those paths to lock down on them.
  1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/Makefile.am b/Makefile.am
-index 555f301ca..1c38d94e5 100644
+index 9d25a815b..ac88c12e0 100644
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -30,14 +30,14 @@ include_HEADERS =
- AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS)
+@@ -31,14 +31,14 @@ pkginclude_HEADERS =
+ AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) $(UDEV_CFLAGS) $(ell_cflags)
  AM_LDFLAGS = $(MISC_LDFLAGS)
  
 +confdir = $(sysconfdir)/bluetooth
 +statedir = $(localstatedir)/lib/bluetooth
 +
  if DATAFILES
- dbusdir = @DBUS_CONFDIR@/dbus-1/system.d
+ dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
  dbus_DATA = src/bluetooth.conf
  
 -confdir = $(sysconfdir)/bluetooth
@@ -31,5 +31,5 @@ index 555f301ca..1c38d94e5 100644
  endif
  
 -- 
-2.14.1
+2.21.0
 

0001-build-Enable-BIND_NOW.patch

@@ -1,31 +0,0 @@
-From e45c8fdcb3d7cdb654f6819c02d1bbb5b40b6116 Mon Sep 17 00:00:00 2001
-From: Florian Weimer <fweimer@redhat.com>
-Date: Thu, 7 Nov 2013 09:23:35 +0100
-Subject: [PATCH 1/4] build: Enable BIND_NOW
-
-Partial RELRO means that the object is GNU_RELRO but not BIND_NOW.  This
-reduces the effectiveness of RELRO.  bluez triggers this because it
-enables PIE during the build, and rpmdiff takes this as an indicator
-that the best possible hardening is desired.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=983161
----
- acinclude.m4 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/acinclude.m4 b/acinclude.m4
-index bc39c6d73..efce2f3cb 100644
---- a/acinclude.m4
-+++ b/acinclude.m4
-@@ -50,7 +50,7 @@ AC_DEFUN([MISC_FLAGS], [
- 		if (test "${enableval}" = "yes" &&
- 				test "${ac_cv_prog_cc_pie}" = "yes"); then
- 			misc_cflags="$misc_cflags -fPIC"
--			misc_ldflags="$misc_ldflags -pie"
-+			misc_ldflags="$misc_ldflags -pie -Wl,-z,now"
- 		fi
- 	])
- 	if (test "$enable_coverage" = "yes"); then
--- 
-2.14.1
-

0001-policy-Add-logic-to-connect-a-Sink.patch

@@ -1,72 +0,0 @@
-From 477ecca127c529611adbc53f08039cefaf86305d Mon Sep 17 00:00:00 2001
-From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Date: Tue, 26 Jun 2018 13:37:33 +0300
-Subject: [PATCH] policy: Add logic to connect a Sink
-
-If HFP/HSP HS connects and the device also supports a Sink connect it
-as well since some devices (e.g. Sony MW600) may not connect it
-automatically.
----
- plugins/policy.c | 39 +++++++++++++++++++++++++++++++++++++++
- 1 file changed, 39 insertions(+)
-
-diff --git a/plugins/policy.c b/plugins/policy.c
-index 1f5a506a2..de51e58b9 100644
---- a/plugins/policy.c
-+++ b/plugins/policy.c
-@@ -297,6 +297,42 @@ static void sink_cb(struct btd_service *service, btd_service_state_t old_state,
- 	}
- }
- 
-+static void hs_cb(struct btd_service *service, btd_service_state_t old_state,
-+						btd_service_state_t new_state)
-+{
-+	struct btd_device *dev = btd_service_get_device(service);
-+	struct policy_data *data;
-+	struct btd_service *sink;
-+
-+	/* If the device supports Sink set a timer to connect it as well */
-+	sink = btd_device_get_service(dev, A2DP_SINK_UUID);
-+	if (sink == NULL)
-+		return;
-+
-+	data = policy_get_data(dev);
-+
-+	switch (new_state) {
-+	case BTD_SERVICE_STATE_UNAVAILABLE:
-+		break;
-+	case BTD_SERVICE_STATE_DISCONNECTED:
-+		break;
-+	case BTD_SERVICE_STATE_CONNECTING:
-+		break;
-+	case BTD_SERVICE_STATE_CONNECTED:
-+		/* Check if service initiate the connection then proceed
-+		 * immediately otherwise set timer
-+		 */
-+		if (old_state == BTD_SERVICE_STATE_CONNECTING)
-+			policy_connect(data, sink);
-+		else if (btd_service_get_state(sink) !=
-+						BTD_SERVICE_STATE_CONNECTED)
-+			policy_set_sink_timer(data);
-+		break;
-+	case BTD_SERVICE_STATE_DISCONNECTING:
-+		break;
-+	}
-+}
-+
- static gboolean policy_connect_tg(gpointer user_data)
- {
- 	struct policy_data *data = user_data;
-@@ -615,6 +651,9 @@ static void service_cb(struct btd_service *service,
- 		controller_cb(service, old_state, new_state);
- 	else if (g_str_equal(profile->remote_uuid, AVRCP_TARGET_UUID))
- 		target_cb(service, old_state, new_state);
-+	else if (g_str_equal(profile->remote_uuid, HFP_HS_UUID) ||
-+			g_str_equal(profile->remote_uuid, HSP_HS_UUID))
-+		hs_cb(service, old_state, new_state);
- 
- 	/*
- 	 * Return if the reconnection feature is not enabled (all
--- 
-2.17.1
-

0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch

@@ -1,4 +1,4 @@
-From 4570164f0c90603bd07eb9e7c07e17bbafb5b5da Mon Sep 17 00:00:00 2001
+From 36a44fc05feebe1aab16c33a1121f952986b2801 Mon Sep 17 00:00:00 2001
 From: Craig Andrews <candrews@integralblue.com>
 Date: Wed, 13 Sep 2017 15:23:09 +0200
 Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
@@ -15,7 +15,7 @@ possible privilege escalations.
  1 file changed, 6 insertions(+)
 
 diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
-index f799f65f0..a6f3030f9 100644
+index f9faaa452..7c2f60bb4 100644
 --- a/src/bluetooth.service.in
 +++ b/src/bluetooth.service.in
 @@ -12,8 +12,14 @@ NotifyAccess=main
@@ -34,5 +34,5 @@ index f799f65f0..a6f3030f9 100644
  [Install]
  WantedBy=bluetooth.target
 -- 
-2.14.1
+2.21.0
 

0003-systemd-Add-more-filesystem-lockdown.patch

@@ -1,4 +1,4 @@
-From 73a9c0902e7c97adf96e735407a75033152c04a9 Mon Sep 17 00:00:00 2001
+From 13a348670fef0047555395ce6977e86e0005f8bd Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 13 Sep 2017 15:37:11 +0200
 Subject: [PATCH 3/4] systemd: Add more filesystem lockdown
@@ -6,25 +6,26 @@ Subject: [PATCH 3/4] systemd: Add more filesystem lockdown
 We can only access the configuration file as read-only and read-write
 to the Bluetooth cache directory and sub-directories.
 ---
- Makefile.am              | 2 ++
+ Makefile.am              | 3 +++
  src/bluetooth.service.in | 4 ++++
- 2 files changed, 6 insertions(+)
+ 2 files changed, 7 insertions(+)
 
 diff --git a/Makefile.am b/Makefile.am
-index 1c38d94e5..13ccf9079 100644
+index ac88c12e0..0a6d09847 100644
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -478,6 +478,8 @@ MAINTAINERCLEANFILES = Makefile.in \
+@@ -562,6 +562,9 @@ MAINTAINERCLEANFILES = Makefile.in \
  
  SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
- 		$(SED) -e 's,@libexecdir\@,$(libexecdir),g' \
+ 		$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
++		       -e 's,@libexecdir\@,$(libexecdir),g' \
 +		       -e 's,@statedir\@,$(statedir),g' \
 +		       -e 's,@confdir\@,$(confdir),g' \
  		< $< > $@
  
  %.service: %.service.in Makefile
 diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
-index a6f3030f9..7e55b5043 100644
+index 7c2f60bb4..4daedef2a 100644
 --- a/src/bluetooth.service.in
 +++ b/src/bluetooth.service.in
 @@ -17,6 +17,10 @@ LimitNPROC=1
@@ -39,5 +40,5 @@ index a6f3030f9..7e55b5043 100644
  # Privilege escalation
  NoNewPrivileges=true
 -- 
-2.14.1
+2.21.0
 

0004-systemd-More-lockdown.patch

@@ -1,4 +1,4 @@
-From 171d812218883281fed57b57fafd5c18eac441ac Mon Sep 17 00:00:00 2001
+From a6963e0402695d7b6a89c1b1c75c40dbd8fcde52 Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 13 Sep 2017 15:38:26 +0200
 Subject: [PATCH 4/4] systemd: More lockdown
@@ -10,7 +10,7 @@ access, so block those.
  1 file changed, 6 insertions(+)
 
 diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
-index 7e55b5043..e8267b338 100644
+index 4daedef2a..f18801866 100644
 --- a/src/bluetooth.service.in
 +++ b/src/bluetooth.service.in
 @@ -22,9 +22,15 @@ ProtectControlGroups=true
@@ -30,5 +30,5 @@ index 7e55b5043..e8267b338 100644
  WantedBy=bluetooth.target
  Alias=dbus-org.bluez.service
 -- 
-2.14.1
+2.21.0
 

CVE-2020-0556-1.patch

@@ -1,31 +0,0 @@
-From 6e47f991fa00fb069f22fe0ef4779fd85dc0f540 Mon Sep 17 00:00:00 2001
-From: Alain Michaud <alainm@chromium.org>
-Date: Tue, 10 Mar 2020 02:35:16 +0000
-Subject: [PATCH 1/4] HOGP must only accept data from bonded devices.
-
-HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
-
-Reference:
-https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
----
- profiles/input/hog.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/profiles/input/hog.c b/profiles/input/hog.c
-index 23c9c15..f8a82bc 100644
---- a/profiles/input/hog.c
-+++ b/profiles/input/hog.c
-@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
- 			return -EINVAL;
- 	}
- 
-+	/* HOGP 1.0 Section 6.1 requires bonding */
-+	if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
-+		return -ECONNREFUSED;
-+
- 	/* TODO: Replace GAttrib with bt_gatt_client */
- 	bt_hog_attach(dev->hog, attrib);
- 
--- 
-1.8.3.1
-

CVE-2020-0556-2.patch

@@ -1,138 +0,0 @@
-From e16c6d3b62d0d7d5885255cf9cef686a2415330d Mon Sep 17 00:00:00 2001
-From: Alain Michaud <alainm@chromium.org>
-Date: Tue, 10 Mar 2020 02:35:18 +0000
-Subject: [PATCH 2/4] HID accepts bonded device connections only.
-
-This change adds a configuration for platforms to choose a more secure
-posture for the HID profile.  While some older mice are known to not
-support pairing or encryption, some platform may choose a more secure
-posture by requiring the device to be bonded  and require the
-connection to be encrypted when bonding is required.
-
-Reference:
-https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
----
- profiles/input/device.c   | 23 ++++++++++++++++++++++-
- profiles/input/device.h   |  1 +
- profiles/input/input.conf |  8 ++++++++
- profiles/input/manager.c  | 13 ++++++++++++-
- 4 files changed, 43 insertions(+), 2 deletions(-)
-
-diff --git a/profiles/input/device.c b/profiles/input/device.c
-index 8461478..3abd2f5 100644
---- a/profiles/input/device.c
-+++ b/profiles/input/device.c
-@@ -91,6 +91,7 @@ struct input_device {
- 
- static int idle_timeout = 0;
- static bool uhid_enabled = false;
-+static bool classic_bonded_only = false;
- 
- void input_set_idle_timeout(int timeout)
- {
-@@ -102,6 +103,11 @@ void input_enable_userspace_hid(bool state)
- 	uhid_enabled = state;
- }
- 
-+void input_set_classic_bonded_only(bool state)
-+{
-+	classic_bonded_only = state;
-+}
-+
- static void input_device_enter_reconnect_mode(struct input_device *idev);
- static int connection_disconnect(struct input_device *idev, uint32_t flags);
- 
-@@ -969,8 +975,18 @@ static int hidp_add_connection(struct input_device *idev)
- 	if (device_name_known(idev->device))
- 		device_get_name(idev->device, req->name, sizeof(req->name));
- 
-+	/* Make sure the device is bonded if required */
-+	if (classic_bonded_only && !device_is_bonded(idev->device,
-+				btd_device_get_bdaddr_type(idev->device))) {
-+		error("Rejected connection from !bonded device %s", dst_addr);
-+		goto cleanup;
-+	}
-+
- 	/* Encryption is mandatory for keyboards */
--	if (req->subclass & 0x40) {
-+	/* Some platforms may choose to require encryption for all devices */
-+	/* Note that this only matters for pre 2.1 devices as otherwise the */
-+	/* device is encrypted by default by the lower layers */
-+	if (classic_bonded_only || req->subclass & 0x40) {
- 		if (!bt_io_set(idev->intr_io, &gerr,
- 					BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
- 					BT_IO_OPT_INVALID)) {
-@@ -1202,6 +1218,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
- 	DBG("path=%s reconnect_mode=%s", idev->path,
- 				reconnect_mode_to_string(idev->reconnect_mode));
- 
-+	/* Make sure the device is bonded if required */
-+	if (classic_bonded_only && !device_is_bonded(idev->device,
-+				btd_device_get_bdaddr_type(idev->device)))
-+		return;
-+
- 	/* Only attempt an auto-reconnect when the device is required to
- 	 * accept reconnections from the host.
- 	 */
-diff --git a/profiles/input/device.h b/profiles/input/device.h
-index 51a9aee..3044db6 100644
---- a/profiles/input/device.h
-+++ b/profiles/input/device.h
-@@ -29,6 +29,7 @@ struct input_conn;
- 
- void input_set_idle_timeout(int timeout);
- void input_enable_userspace_hid(bool state);
-+void input_set_classic_bonded_only(bool state);
- 
- int input_device_register(struct btd_service *service);
- void input_device_unregister(struct btd_service *service);
-diff --git a/profiles/input/input.conf b/profiles/input/input.conf
-index 3e1d65a..166aff4 100644
---- a/profiles/input/input.conf
-+++ b/profiles/input/input.conf
-@@ -11,3 +11,11 @@
- # Enable HID protocol handling in userspace input profile
- # Defaults to false (HIDP handled in HIDP kernel module)
- #UserspaceHID=true
-+
-+# Limit HID connections to bonded devices
-+# The HID Profile does not specify that devices must be bonded, however some
-+# platforms may want to make sure that input connections only come from bonded
-+# device connections. Several older mice have been known for not supporting
-+# pairing/encryption.
-+# Defaults to false to maximize device compatibility.
-+#ClassicBondedOnly=true
-diff --git a/profiles/input/manager.c b/profiles/input/manager.c
-index 1d31b06..5cd27b8 100644
---- a/profiles/input/manager.c
-+++ b/profiles/input/manager.c
-@@ -96,7 +96,7 @@ static int input_init(void)
- 	config = load_config_file(CONFIGDIR "/input.conf");
- 	if (config) {
- 		int idle_timeout;
--		gboolean uhid_enabled;
-+		gboolean uhid_enabled, classic_bonded_only;
- 
- 		idle_timeout = g_key_file_get_integer(config, "General",
- 							"IdleTimeout", &err);
-@@ -114,6 +114,17 @@ static int input_init(void)
- 			input_enable_userspace_hid(uhid_enabled);
- 		} else
- 			g_clear_error(&err);
-+
-+		classic_bonded_only = g_key_file_get_boolean(config, "General",
-+						"ClassicBondedOnly", &err);
-+
-+		if (!err) {
-+			DBG("input.conf: ClassicBondedOnly=%s",
-+					classic_bonded_only ? "true" : "false");
-+			input_set_classic_bonded_only(classic_bonded_only);
-+		} else
-+			g_clear_error(&err);
-+
- 	}
- 
- 	btd_profile_register(&input_profile);
--- 
-1.8.3.1
-

CVE-2020-0556-3.patch

@@ -1,48 +0,0 @@
-From dbb346f3606d07005a162e093b616519b337c5f0 Mon Sep 17 00:00:00 2001
-From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Date: Tue, 10 Mar 2020 09:59:07 -0700
-Subject: [PATCH 3/4] input: hog: Attempt to set security level if not bonded
-
-This attempts to set the security if the device is not bonded, the
-kernel will block any communication on the ATT socket while bumping
-the security and if that fails the device will be disconnected which
-is better than having the device dangling around without being able to
-communicate with it until it is properly bonded.
----
- profiles/input/hog.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/profiles/input/hog.c b/profiles/input/hog.c
-index f8a82bc..e0e9df2 100644
---- a/profiles/input/hog.c
-+++ b/profiles/input/hog.c
-@@ -49,6 +49,8 @@
- #include "src/shared/util.h"
- #include "src/shared/uhid.h"
- #include "src/shared/queue.h"
-+#include "src/shared/att.h"
-+#include "src/shared/gatt-client.h"
- #include "src/plugin.h"
- 
- #include "suspend.h"
-@@ -187,8 +189,15 @@ static int hog_accept(struct btd_service *service)
- 	}
- 
- 	/* HOGP 1.0 Section 6.1 requires bonding */
--	if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
--		return -ECONNREFUSED;
-+	if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) {
-+		struct bt_gatt_client *client;
-+
-+		client = btd_device_get_gatt_client(device);
-+		if (!bt_gatt_client_set_security(client,
-+						BT_ATT_SECURITY_MEDIUM)) {
-+			return -ECONNREFUSED;
-+		}
-+	}
- 
- 	/* TODO: Replace GAttrib with bt_gatt_client */
- 	bt_hog_attach(dev->hog, attrib);
--- 
-1.8.3.1
-

CVE-2020-0556-4.patch

@@ -1,121 +0,0 @@
-From 304843c6f5e4d7a5a588cce7a41b2819324fc1b0 Mon Sep 17 00:00:00 2001
-From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Date: Wed, 11 Mar 2020 11:43:21 -0700
-Subject: [PATCH 4/4] input: Add LEAutoSecurity setting to input.conf
-
-LEAutoSecurity can be used to enable/disable automatic upgrades of
-security for LE devices, by default it is enabled so existing devices
-that did not require security and were not bonded will automatically
-upgrade the security.
-
-Note: Platforms disabling this setting would require users to manually
-bond the device which may require changes to the user interface to
-always force bonding for input devices as APIs such as Device.Connect
-will no longer work which maybe perceived as a regression.
----
- profiles/input/device.h   |  1 +
- profiles/input/hog.c      | 13 +++++++++++--
- profiles/input/input.conf |  5 +++++
- profiles/input/manager.c  | 11 ++++++++++-
- 4 files changed, 27 insertions(+), 3 deletions(-)
-
-diff --git a/profiles/input/device.h b/profiles/input/device.h
-index 3044db6..5a077f9 100644
---- a/profiles/input/device.h
-+++ b/profiles/input/device.h
-@@ -30,6 +30,7 @@ struct input_conn;
- void input_set_idle_timeout(int timeout);
- void input_enable_userspace_hid(bool state);
- void input_set_classic_bonded_only(bool state);
-+void input_set_auto_sec(bool state);
- 
- int input_device_register(struct btd_service *service);
- void input_device_unregister(struct btd_service *service);
-diff --git a/profiles/input/hog.c b/profiles/input/hog.c
-index e0e9df2..4714e1e 100644
---- a/profiles/input/hog.c
-+++ b/profiles/input/hog.c
-@@ -53,6 +53,7 @@
- #include "src/shared/gatt-client.h"
- #include "src/plugin.h"
- 
-+#include "device.h"
- #include "suspend.h"
- #include "attrib/att.h"
- #include "attrib/gattrib.h"
-@@ -67,8 +68,14 @@ struct hog_device {
- };
- 
- static gboolean suspend_supported = FALSE;
-+static bool auto_sec = true;
- static struct queue *devices = NULL;
- 
-+void input_set_auto_sec(bool state)
-+{
-+	auto_sec = state;
-+}
-+
- static void hog_device_accept(struct hog_device *dev, struct gatt_db *db)
- {
- 	char name[248];
-@@ -192,11 +199,13 @@ static int hog_accept(struct btd_service *service)
- 	if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) {
- 		struct bt_gatt_client *client;
- 
-+		if (!auto_sec)
-+			return -ECONNREFUSED;
-+
- 		client = btd_device_get_gatt_client(device);
- 		if (!bt_gatt_client_set_security(client,
--						BT_ATT_SECURITY_MEDIUM)) {
-+						BT_ATT_SECURITY_MEDIUM))
- 			return -ECONNREFUSED;
--		}
- 	}
- 
- 	/* TODO: Replace GAttrib with bt_gatt_client */
-diff --git a/profiles/input/input.conf b/profiles/input/input.conf
-index 166aff4..4c70bc5 100644
---- a/profiles/input/input.conf
-+++ b/profiles/input/input.conf
-@@ -19,3 +19,8 @@
- # pairing/encryption.
- # Defaults to false to maximize device compatibility.
- #ClassicBondedOnly=true
-+
-+# LE upgrade security
-+# Enables upgrades of security automatically if required.
-+# Defaults to true to maximize device compatibility.
-+#LEAutoSecurity=true
-diff --git a/profiles/input/manager.c b/profiles/input/manager.c
-index 5cd27b8..bf4acb4 100644
---- a/profiles/input/manager.c
-+++ b/profiles/input/manager.c
-@@ -96,7 +96,7 @@ static int input_init(void)
- 	config = load_config_file(CONFIGDIR "/input.conf");
- 	if (config) {
- 		int idle_timeout;
--		gboolean uhid_enabled, classic_bonded_only;
-+		gboolean uhid_enabled, classic_bonded_only, auto_sec;
- 
- 		idle_timeout = g_key_file_get_integer(config, "General",
- 							"IdleTimeout", &err);
-@@ -125,6 +125,15 @@ static int input_init(void)
- 		} else
- 			g_clear_error(&err);
- 
-+		auto_sec = g_key_file_get_boolean(config, "General",
-+						"LEAutoSecurity", &err);
-+		if (!err) {
-+			DBG("input.conf: LEAutoSecurity=%s",
-+					auto_sec ? "true" : "false");
-+			input_set_auto_sec(auto_sec);
-+		} else
-+			g_clear_error(&err);
-+
- 	}
- 
- 	btd_profile_register(&input_profile);
--- 
-1.8.3.1
-

bluez.spec

@@ -1,7 +1,7 @@
 Name:             bluez
 Summary:          Bluetooth utilities
-Version:          5.50
-Release:          9
+Version:          5.54
+Release:          1
 License:          GPLv2+
 URL:              http://www.bluez.org/
 Source0:          http://www.kernel.org/pub/linux/bluetooth/bluez-%{version}.tar.xz
@@ -11,30 +11,25 @@ Source2:          69-btattach-bcm.rules
 Source3:          btattach-bcm@.service
 Source4:          btattach-bcm-service.sh
 
-Patch0001:        0001-build-Enable-BIND_NOW.patch
-Patch0003:        0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
-Patch0004:        0001-build-Always-define-confdir-and-statedir.patch
-Patch0005:        0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
-Patch0006:        0003-systemd-Add-more-filesystem-lockdown.patch
-Patch0007:        0004-systemd-More-lockdown.patch
-Patch0008:        0001-policy-Add-logic-to-connect-a-Sink.patch
-Patch0009:        fix-CVE-2018-10910-1.patch
-Patch0010:        fix-CVE-2018-10910-2.patch
+Patch0001:        0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
+Patch0002:        0001-build-Always-define-confdir-and-statedir.patch
+Patch0003:        0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
+Patch0004:        0003-systemd-Add-more-filesystem-lockdown.patch
+Patch0005:        0004-systemd-More-lockdown.patch
 
-Patch0011:        CVE-2020-0556-1.patch
-Patch0012:        CVE-2020-0556-2.patch
-Patch0013:        CVE-2020-0556-3.patch
-Patch0014:        CVE-2020-0556-4.patch
-
-BuildRequires:    dbus-devel >= 1.6
-BuildRequires:    git-core glib2-devel libical-devel readline-devel libell-devel
-BuildRequires:    json-c-devel systemd-devel cups-devel libtool automake autoconf
+BuildRequires:    dbus-devel >= 1.6 libell-devel >= 0.28 autoconf
+BuildRequires:    git-core glib2-devel libical-devel readline-devel 
+BuildRequires:    json-c-devel systemd-devel cups-devel libtool automake 
 Requires:         dbus >= 1.6 %{name}-libs = %{version}-%{release}
 Requires(post):   systemd
 Requires(preun):  systemd
 Requires(postun): systemd
-Provides:         bluez-hid2hci bluez-obexd
-Obsoletes:        bluez-hid2hci bluez-obexd
+Provides:         bluez-hid2hci = %{version}-%{release} 
+Provides:	  bluez-obexd = %{version}-%{release}
+Provides:  	  bluez-mesh = %{version}-%{release}
+Obsoletes:        bluez-hid2hci < %{version}-%{release}
+Obsoletes:	  bluez-obexd < %{version}-%{release}
+Obsoletes:	  bluez-mesh < %{version}-%{release}
 
 %description
 This package provides all utilities for use in Bluetooth applications.
@@ -49,18 +44,14 @@ Libraries forbluez.
 %package          devel
 Summary:          Development libraries for Bluetooth applications
 Requires:         %{name}-libs = %{version}-%{release}
-Provides:         bluez-libs-devel
-Obsoletes:        bluez-libs-devel
+Provides:         bluez-libs-devel = %{version}-%{release}
+Obsoletes:        bluez-libs-devel < %{version}-%{release}
 
 %description      devel
 This package provides development libraries and headers for Bluetooth related
 applications.
 
-%package          help
-Summary: Help manual for bluetooth application related utilities
-
-%description      help
-This package provides help manual function for Bluetooth utilities separately.
+%package_help
 
 %package          cups
 Summary: CUPS printer backend for Bluetooth printers
@@ -78,6 +69,7 @@ libtoolize -f
 autoreconf -f -i
 %configure --enable-tools --enable-library --enable-deprecated \
            --enable-sixaxis --enable-cups --enable-nfc --enable-mesh \
+	   --enable-testing \
            --with-systemdsystemunitdir=%{_unitdir} \
            --with-systemduserunitdir=%{_userunitdir}
 %make_build V=1
@@ -86,8 +78,7 @@ autoreconf -f -i
 %make_install
 install -m0755 attrib/gatttool $RPM_BUILD_ROOT%{_bindir}
 
-# Remove autocrap and libtool related redundant items
-find $RPM_BUILD_ROOT -name '*.la' -delete
+%delete_la
 
 # Remove the cups backend from libdir, and install it in new default CUPS binary directory
 if test -d ${RPM_BUILD_ROOT}/usr/lib64/cups ; then
@@ -95,13 +86,16 @@ if test -d ${RPM_BUILD_ROOT}/usr/lib64/cups ; then
         rm -rf ${RPM_BUILD_ROOT}%{_libdir}/cups
 fi
 
-rm -f ${RPM_BUILD_ROOT}/%{_udevrulesdir}/*.rules
-install -D -p -m0644 tools/hid2hci.rules ${RPM_BUILD_ROOT}/%{_udevrulesdir}/97-hid2hci.rules
-install -d -m0755 $RPM_BUILD_ROOT/%{_localstatedir}/lib/bluetooth
-install -d $RPM_BUILD_ROOT/%{_libdir}/bluetooth/
+rm -f %{buildroot}/%{_sysconfdir}/udev/*.rules %{buildroot}/usr/lib/udev/rules.d/*.rules
+install -D -p -m 0644 tools/hid2hci.rules %{buildroot}/%{_udevrulesdir}/97-hid2hci.rules
+install -d -m 0755 %{buildroot}/%{_localstatedir}/lib/bluetooth
+install -d -m 0755 %{buildroot}/%{_localstatedir}/lib/bluetooth/mesh
+install -d %{buildroot}/%{_libdir}/bluetooth/
 
 # Copy bluetooth config file
-install -D -p -m0644 src/main.conf ${RPM_BUILD_ROOT}/etc/bluetooth/main.conf
+install -D -p -m0644 src/main.conf %{buildroot}/etc/bluetooth/main.conf
+install -D -p -m0644 mesh/mesh-main.conf %{buildroot}/etc/bluetooth/mesh-main.conf
+
 # Setup auto enable
 sed -i 's/#\[Policy\]$/\[Policy\]/; s/#AutoEnable=false/AutoEnable=true/' ${RPM_BUILD_ROOT}/%{_sysconfdir}/bluetooth/main.conf
 
@@ -110,63 +104,77 @@ install -D -p -m0644 %{SOURCE2} ${RPM_BUILD_ROOT}/%{_udevrulesdir}/
 install -D -p -m0644 %{SOURCE3} ${RPM_BUILD_ROOT}/%{_unitdir}/
 install -D -p -m0755 %{SOURCE4} ${RPM_BUILD_ROOT}/%{_libexecdir}/bluetooth/
 
+%check
+make check
+
+%ldconfig_scriptlets libs
+
 %preun
 %systemd_preun bluetooth.service
 %systemd_user_preun obex.service
+%systemd_user_preun bluetooth-mesh.service
 
 %post
 %systemd_post bluetooth.service
 /sbin/udevadm trigger --subsystem-match=usb
 %systemd_user_post obex.service
+%systemd_user_post bluetooth-mesh.service
 
 %postun
 %systemd_postun_with_restart bluetooth.service
 
-%ldconfig_scriptlets libs
 
 %files
-%{!?_licensedir:%global license %%doc}
-%license COPYING
+%defattr(-,root,root)
 %doc AUTHORS ChangeLog
-%config %{_sysconfdir}/dbus-1/system.d/bluetooth.conf
+%license COPYING
 %config %{_sysconfdir}/bluetooth/main.conf
+%config %{_sysconfdir}/bluetooth/mesh-main.conf
+%config %{_sysconfdir}/dbus-1/system.d/bluetooth.conf
+%config %{_sysconfdir}/dbus-1/system.d/bluetooth-mesh.conf
 %{_bindir}/*
-%{_libexecdir}/bluetooth/bluetoothd
-%{_libexecdir}/bluetooth/btattach-bcm-service.sh
-# This is obexd relative file
-%{_libexecdir}/bluetooth/obexd
 %{_libdir}/bluetooth/
-# This is hid2hci relative file
-%{_exec_prefix}/lib/udev/hid2hci
+%{_prefix}/lib/udev/hid2hci
+%{_libexecdir}/bluetooth/obexd
+%{_libexecdir}/bluetooth/bluetoothd
+%{_libexecdir}/bluetooth/bluetooth-meshd
+%{_libexecdir}/bluetooth/btattach-bcm-service.sh
 %{_localstatedir}/lib/bluetooth
-%{_datadir}/dbus-1/system-services/org.bluez.service
-# This is obexd relative file
-%{_datadir}/dbus-1/services/org.bluez.obex.service
 %{_unitdir}/bluetooth.service
 %{_unitdir}/btattach-bcm@.service
-%{_udevrulesdir}/69-btattach-bcm.rules
-# hid2hci relative files
-%{_udevrulesdir}/97-hid2hci.rules
-# obexd relative files
+%{_unitdir}/bluetooth-mesh.service
+%{_datadir}/zsh/site-functions/_bluetoothctl
+%{_datadir}/dbus-1/services/org.bluez.obex.service
+%{_datadir}/dbus-1/system-services/org.bluez.service
+%{_datadir}/dbus-1/system-services/org.bluez.mesh.service
 %{_userunitdir}/obex.service
+%{_udevrulesdir}/97-hid2hci.rules
+%{_udevrulesdir}/69-btattach-bcm.rules
 
 %files            libs
+%defattr(-,root,root)
 %{_libdir}/libbluetooth.so.*
 
-%files            help
-%{_mandir}/man1/*
-%{_mandir}/man8/*
-
 %files            devel
+%defattr(-,root,root)
 %doc doc/*txt
 %{_libdir}/libbluetooth.so
 %{_includedir}/bluetooth
 %{_libdir}/pkgconfig/bluez.pc
 
 %files            cups
+%defattr(-,root,root)
 %_cups_serverbin/backend/bluetooth
 
+%files            help
+%defattr(-,root,root)
+%{_mandir}/man1/*
+%{_mandir}/man8/*
+
 %changelog
+* Wed Jul 22 2020 songnannan <songnannan2@huawei.com> - 5.54-1
+- update to 5.54
+
 * Wed May 20 2020 songnannan <songnannan2@huawei.com> - 5.50-9
 - delete the check temporarily
 

fix-CVE-2018-10910-1.patch

@@ -1,136 +0,0 @@
-From linux-bluetooth  Fri Jul 27 13:02:17 2018
-From: Luiz Augusto von Dentz <luiz.dentz () gmail ! com>
-Date: Fri, 27 Jul 2018 13:02:17 +0000
-To: linux-bluetooth
-Subject: [PATCH BlueZ 1/2] core: Add AlwaysPairable to main.conf
-Message-Id: <20180727130218.16975-1-luiz.dentz () gmail ! com>
-X-MARC-Message: https://marc.info/?l=linux-bluetooth&m=153269654418730
-
-From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-
-This adds a new option called AlwaysPairable to main.conf, it can be
-used to enable Adapter.Pairable even in case there is no Agent
-available.
-
-Since that could be consider a security problem to allow pairing
-without user's consent the option defaults to false.
----
- src/adapter.c | 16 +++++++++++++++-
- src/agent.h   |  7 +++++++
- src/hcid.h    |  1 +
- src/main.c    | 11 +++++++++++
- src/main.conf |  5 +++++
- 5 files changed, 39 insertions(+), 1 deletion(-)
-
-diff --git a/src/adapter.c b/src/adapter.c
-index af340fd..720621f 100644
---- a/src/adapter.c
-+++ b/src/adapter.c
-@@ -7754,6 +7754,19 @@ int adapter_set_io_capability(struct btd_adapter *adapter, uint8_t io_cap)
- {
- 	struct mgmt_cp_set_io_capability cp;
- 
-+	if (!main_opts.pairable) {
-+		if (io_cap == IO_CAPABILITY_INVALID) {
-+			if (adapter->current_settings & MGMT_SETTING_BONDABLE)
-+				set_mode(adapter, MGMT_OP_SET_BONDABLE, 0x00);
-+
-+			return 0;
-+		}
-+
-+		if (!(adapter->current_settings & MGMT_SETTING_BONDABLE))
-+			set_mode(adapter, MGMT_OP_SET_BONDABLE, 0x01);
-+	} else if (io_cap == IO_CAPABILITY_INVALID)
-+		io_cap = IO_CAPABILITY_NOINPUTNOOUTPUT;
-+
- 	memset(&cp, 0, sizeof(cp));
- 	cp.io_capability = io_cap;
- 
-@@ -8682,7 +8695,8 @@ static void read_info_complete(uint8_t status, uint16_t length,
- 
- 	set_name(adapter, btd_adapter_get_name(adapter));
- 
--	if (!(adapter->current_settings & MGMT_SETTING_BONDABLE))
-+	if (main_opts.pairable &&
-+			!(adapter->current_settings & MGMT_SETTING_BONDABLE))
- 		set_mode(adapter, MGMT_OP_SET_BONDABLE, 0x01);
- 
- 	if (!kernel_conn_control)
-diff --git a/src/agent.h b/src/agent.h
-index 1e46920..088c258 100644
---- a/src/agent.h
-+++ b/src/agent.h
-@@ -22,6 +22,13 @@
-  *
-  */
- 
-+#define IO_CAPABILITY_DISPLAYONLY	0x00
-+#define IO_CAPABILITY_DISPLAYYESNO	0x01
-+#define IO_CAPABILITY_KEYBOARDONLY	0x02
-+#define IO_CAPABILITY_NOINPUTNOOUTPUT	0x03
-+#define IO_CAPABILITY_KEYBOARDDISPLAY	0x04
-+#define IO_CAPABILITY_INVALID	0xFF
-+
- struct agent;
- 
- typedef void (*agent_cb) (struct agent *agent, DBusError *err,
-diff --git a/src/hcid.h b/src/hcid.h
-index 2c2b89d..ba25057 100644
---- a/src/hcid.h
-+++ b/src/hcid.h
-@@ -38,6 +38,7 @@ typedef enum {
- struct main_opts {
- 	char		*name;
- 	uint32_t	class;
-+	gboolean	pairable;
- 	uint32_t	pairto;
- 	uint32_t	discovto;
- 	uint8_t		privacy;
-diff --git a/src/main.c b/src/main.c
-index 7e6af42..e32df14 100644
---- a/src/main.c
-+++ b/src/main.c
-@@ -81,6 +81,7 @@ static const char *supported_options[] = {
- 	"Name",
- 	"Class",
- 	"DiscoverableTimeout",
-+	"AlwaysPairable",
- 	"PairableTimeout",
- 	"DeviceID",
- 	"ReverseServiceDiscovery",
-@@ -287,6 +288,16 @@ static void parse_config(GKeyFile *config)
- 		main_opts.discovto = val;
- 	}
- 
-+	boolean = g_key_file_get_boolean(config, "General",
-+						"AlwaysPairable", &err);
-+	if (err) {
-+		DBG("%s", err->message);
-+		g_clear_error(&err);
-+	} else {
-+		DBG("pairable=%s", boolean ? "true" : "false");
-+		main_opts.pairable = boolean;
-+	}
-+
- 	val = g_key_file_get_integer(config, "General",
- 						"PairableTimeout", &err);
- 	if (err) {
-diff --git a/src/main.conf b/src/main.conf
-index cbae32e..0d480d1 100644
---- a/src/main.conf
-+++ b/src/main.conf
-@@ -13,6 +13,11 @@
- # 0 = disable timer, i.e. stay discoverable forever
- #DiscoverableTimeout = 0
- 
-+# Always allow pairing even if there are no agent registered
-+# Possible values: true, false
-+# Default: false
-+#AlwaysPairable = false
-+
- # How long to stay in pairable mode before going back to non-discoverable
- # The value is in seconds. Default is 0.
- # 0 = disable timer, i.e. stay pairable forever
--- 
-1.8.3.1
-

fix-CVE-2018-10910-2.patch

@@ -1,59 +0,0 @@
-From linux-bluetooth  Fri Jul 27 13:02:18 2018
-From: Luiz Augusto von Dentz <luiz.dentz () gmail ! com>
-Date: Fri, 27 Jul 2018 13:02:18 +0000
-To: linux-bluetooth
-Subject: [PATCH BlueZ 2/2] agent: Make the first agent to register the default
-Message-Id: <20180727130218.16975-2-luiz.dentz () gmail ! com>
-X-MARC-Message: https://marc.info/?l=linux-bluetooth&m=153269654618731
-
-From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-
-This simplifies the handling of default agent and enforce the IO
-capabilities to be set whenever there is an agent available in the
-system.
----
- src/agent.c | 14 ++++++--------
- 1 file changed, 6 insertions(+), 8 deletions(-)
-
-diff --git a/src/agent.c b/src/agent.c
-index ff44d57..183e2f1 100644
---- a/src/agent.c
-+++ b/src/agent.c
-@@ -50,13 +50,6 @@
- #include "agent.h"
- #include "shared/queue.h"
- 
--#define IO_CAPABILITY_DISPLAYONLY	0x00
--#define IO_CAPABILITY_DISPLAYYESNO	0x01
--#define IO_CAPABILITY_KEYBOARDONLY	0x02
--#define IO_CAPABILITY_NOINPUTNOOUTPUT	0x03
--#define IO_CAPABILITY_KEYBOARDDISPLAY	0x04
--#define IO_CAPABILITY_INVALID		0xFF
--
- #define REQUEST_TIMEOUT (60 * 1000)		/* 60 seconds */
- #define AGENT_INTERFACE "org.bluez.Agent1"
- 
-@@ -150,7 +143,7 @@ static void set_io_cap(struct btd_adapter *adapter, gpointer user_data)
- 	if (agent)
- 		io_cap = agent->capability;
- 	else
--		io_cap = IO_CAPABILITY_NOINPUTNOOUTPUT;
-+		io_cap = IO_CAPABILITY_INVALID;
- 
- 	adapter_set_io_capability(adapter, io_cap);
- }
-@@ -294,6 +287,11 @@ static struct agent *agent_create( const char *name, const char *path,
- 							name, agent_disconnect,
- 							agent, NULL);
- 
-+	if (queue_isempty(default_agents))
-+		add_default_agent(agent);
-+	else
-+		queue_push_tail(default_agents, agent);
-+
- 	return agent_ref(agent);
- }
- 
--- 
-1.8.3.1
-