...
 
Commits (3)
bluez (5.50-1.2~deb10u1co1) apertis; urgency=medium
* Apertis specific downstream changes
+ debian/apparmor.d/usr.lib.bluetooth.bluetoothd: allow bluetoothd to access
/dev/hidraw nodes which are needed for out-of-band USB pairing (for instance
sixaxis controllers).
+ debian/bluez.tmpfile: Create /var/lib/bluetooth on boot as apparmor won't
allow bluetoothd to create it, which means all Bluetooth operations will
fail.
+ Add AppArmor profiles from Apertis 18.12
+ Use updated AppArmor profile
+ Fix the label in AppArmor profile
+ Add dh-apparmor into build dependencies
+ set car class of device
-- Ritesh Raj Sarraf <ritesh.sarraf@collabora.com> Thu, 30 Apr 2020 20:32:45 +0530
bluez (5.50-1.2~deb10u1) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
* Rebuild for buster-security.
-- Salvatore Bonaccorso <carnil@debian.org> Sun, 22 Mar 2020 10:55:38 +0100
bluez (5.50-1.2) unstable; urgency=medium
* Non-maintainer upload.
* input: hog: Attempt to set security level if not bonded
* input: Add LEAutoSecurity setting to input.conf
-- Salvatore Bonaccorso <carnil@debian.org> Fri, 20 Mar 2020 21:19:01 +0100
bluez (5.50-1.1) unstable; urgency=high
* Non-maintainer upload.
* Address INTEL-SA-00352 (CVE-2020-0556) (Closes: #953770)
- HOGP must only accept data from bonded devices
- HID accepts bonded device connections only
-- Salvatore Bonaccorso <carnil@debian.org> Fri, 13 Mar 2020 21:31:22 +0100
bluez (5.50-1co4) apertis; urgency=medium
* debian/apparmor.d/usr.lib.bluetooth.bluetoothd: allow bluetoothd to access
......
From: Alain Michaud <alainm@chromium.org>
Date: Tue, 10 Mar 2020 02:35:18 +0000
Subject: HID accepts bonded device connections only.
Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787
Bug-Debian: https://bugs.debian.org/953770
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-0556
This change adds a configuration for platforms to choose a more secure
posture for the HID profile. While some older mice are known to not
support pairing or encryption, some platform may choose a more secure
posture by requiring the device to be bonded and require the
connection to be encrypted when bonding is required.
Reference:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
---
profiles/input/device.c | 23 ++++++++++++++++++++++-
profiles/input/device.h | 1 +
profiles/input/input.conf | 8 ++++++++
profiles/input/manager.c | 13 ++++++++++++-
4 files changed, 43 insertions(+), 2 deletions(-)
diff --git a/profiles/input/device.c b/profiles/input/device.c
index 2cb3811c8d46..d89da2d7ccac 100644
--- a/profiles/input/device.c
+++ b/profiles/input/device.c
@@ -92,6 +92,7 @@ struct input_device {
static int idle_timeout = 0;
static bool uhid_enabled = false;
+static bool classic_bonded_only = false;
void input_set_idle_timeout(int timeout)
{
@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state)
uhid_enabled = state;
}
+void input_set_classic_bonded_only(bool state)
+{
+ classic_bonded_only = state;
+}
+
static void input_device_enter_reconnect_mode(struct input_device *idev);
static int connection_disconnect(struct input_device *idev, uint32_t flags);
@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev)
if (device_name_known(idev->device))
device_get_name(idev->device, req->name, sizeof(req->name));
+ /* Make sure the device is bonded if required */
+ if (classic_bonded_only && !device_is_bonded(idev->device,
+ btd_device_get_bdaddr_type(idev->device))) {
+ error("Rejected connection from !bonded device %s", dst_addr);
+ goto cleanup;
+ }
+
/* Encryption is mandatory for keyboards */
- if (req->subclass & 0x40) {
+ /* Some platforms may choose to require encryption for all devices */
+ /* Note that this only matters for pre 2.1 devices as otherwise the */
+ /* device is encrypted by default by the lower layers */
+ if (classic_bonded_only || req->subclass & 0x40) {
if (!bt_io_set(idev->intr_io, &gerr,
BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
BT_IO_OPT_INVALID)) {
@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
DBG("path=%s reconnect_mode=%s", idev->path,
reconnect_mode_to_string(idev->reconnect_mode));
+ /* Make sure the device is bonded if required */
+ if (classic_bonded_only && !device_is_bonded(idev->device,
+ btd_device_get_bdaddr_type(idev->device)))
+ return;
+
/* Only attempt an auto-reconnect when the device is required to
* accept reconnections from the host.
*/
diff --git a/profiles/input/device.h b/profiles/input/device.h
index 51a9aee181ab..3044db67332c 100644
--- a/profiles/input/device.h
+++ b/profiles/input/device.h
@@ -29,6 +29,7 @@ struct input_conn;
void input_set_idle_timeout(int timeout);
void input_enable_userspace_hid(bool state);
+void input_set_classic_bonded_only(bool state);
int input_device_register(struct btd_service *service);
void input_device_unregister(struct btd_service *service);
diff --git a/profiles/input/input.conf b/profiles/input/input.conf
index 3e1d65aaefee..166aff4a43b2 100644
--- a/profiles/input/input.conf
+++ b/profiles/input/input.conf
@@ -11,3 +11,11 @@
# Enable HID protocol handling in userspace input profile
# Defaults to false (HIDP handled in HIDP kernel module)
#UserspaceHID=true
+
+# Limit HID connections to bonded devices
+# The HID Profile does not specify that devices must be bonded, however some
+# platforms may want to make sure that input connections only come from bonded
+# device connections. Several older mice have been known for not supporting
+# pairing/encryption.
+# Defaults to false to maximize device compatibility.
+#ClassicBondedOnly=true
diff --git a/profiles/input/manager.c b/profiles/input/manager.c
index 1d31b065298e..5cd27b8396b8 100644
--- a/profiles/input/manager.c
+++ b/profiles/input/manager.c
@@ -96,7 +96,7 @@ static int input_init(void)
config = load_config_file(CONFIGDIR "/input.conf");
if (config) {
int idle_timeout;
- gboolean uhid_enabled;
+ gboolean uhid_enabled, classic_bonded_only;
idle_timeout = g_key_file_get_integer(config, "General",
"IdleTimeout", &err);
@@ -114,6 +114,17 @@ static int input_init(void)
input_enable_userspace_hid(uhid_enabled);
} else
g_clear_error(&err);
+
+ classic_bonded_only = g_key_file_get_boolean(config, "General",
+ "ClassicBondedOnly", &err);
+
+ if (!err) {
+ DBG("input.conf: ClassicBondedOnly=%s",
+ classic_bonded_only ? "true" : "false");
+ input_set_classic_bonded_only(classic_bonded_only);
+ } else
+ g_clear_error(&err);
+
}
btd_profile_register(&input_profile);
--
2.25.1
From: Alain Michaud <alainm@chromium.org>
Date: Tue, 10 Mar 2020 02:35:16 +0000
Subject: HOGP must only accept data from bonded devices.
Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=8cdbd3b09f29da29374e2f83369df24228da0ad1
Bug-Debian: https://bugs.debian.org/953770
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-0556
HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
Reference:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
---
profiles/input/hog.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/profiles/input/hog.c b/profiles/input/hog.c
index 83c017dcb717..dfac689219a0 100644
--- a/profiles/input/hog.c
+++ b/profiles/input/hog.c
@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
return -EINVAL;
}
+ /* HOGP 1.0 Section 6.1 requires bonding */
+ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
+ return -ECONNREFUSED;
+
/* TODO: Replace GAttrib with bt_gatt_client */
bt_hog_attach(dev->hog, attrib);
--
2.25.1
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Wed, 11 Mar 2020 11:43:21 -0700
Subject: input: Add LEAutoSecurity setting to input.conf
Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=f2778f5877d20696d68a452b26e4accb91bfb19e
LEAutoSecurity can be used to enable/disable automatic upgrades of
security for LE devices, by default it is enabled so existing devices
that did not require security and were not bonded will automatically
upgrade the security.
Note: Platforms disabling this setting would require users to manually
bond the device which may require changes to the user interface to
always force bonding for input devices as APIs such as Device.Connect
will no longer work which maybe perceived as a regression.
---
profiles/input/device.h | 1 +
profiles/input/hog.c | 13 +++++++++++--
profiles/input/input.conf | 5 +++++
profiles/input/manager.c | 11 ++++++++++-
4 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/profiles/input/device.h b/profiles/input/device.h
index 3044db67332c..5a077f92a82c 100644
--- a/profiles/input/device.h
+++ b/profiles/input/device.h
@@ -30,6 +30,7 @@ struct input_conn;
void input_set_idle_timeout(int timeout);
void input_enable_userspace_hid(bool state);
void input_set_classic_bonded_only(bool state);
+void input_set_auto_sec(bool state);
int input_device_register(struct btd_service *service);
void input_device_unregister(struct btd_service *service);
diff --git a/profiles/input/hog.c b/profiles/input/hog.c
index f0226ebbd1ba..327a1d1c3c2b 100644
--- a/profiles/input/hog.c
+++ b/profiles/input/hog.c
@@ -53,6 +53,7 @@
#include "src/shared/gatt-client.h"
#include "src/plugin.h"
+#include "device.h"
#include "suspend.h"
#include "attrib/att.h"
#include "attrib/gattrib.h"
@@ -67,8 +68,14 @@ struct hog_device {
};
static gboolean suspend_supported = FALSE;
+static bool auto_sec = true;
static struct queue *devices = NULL;
+void input_set_auto_sec(bool state)
+{
+ auto_sec = state;
+}
+
static void hog_device_accept(struct hog_device *dev, struct gatt_db *db)
{
char name[248];
@@ -192,11 +199,13 @@ static int hog_accept(struct btd_service *service)
if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) {
struct bt_gatt_client *client;
+ if (!auto_sec)
+ return -ECONNREFUSED;
+
client = btd_device_get_gatt_client(device);
if (!bt_gatt_client_set_security(client,
- BT_ATT_SECURITY_MEDIUM)) {
+ BT_ATT_SECURITY_MEDIUM))
return -ECONNREFUSED;
- }
}
/* TODO: Replace GAttrib with bt_gatt_client */
diff --git a/profiles/input/input.conf b/profiles/input/input.conf
index 166aff4a43b2..4c70bc561f05 100644
--- a/profiles/input/input.conf
+++ b/profiles/input/input.conf
@@ -19,3 +19,8 @@
# pairing/encryption.
# Defaults to false to maximize device compatibility.
#ClassicBondedOnly=true
+
+# LE upgrade security
+# Enables upgrades of security automatically if required.
+# Defaults to true to maximize device compatibility.
+#LEAutoSecurity=true
diff --git a/profiles/input/manager.c b/profiles/input/manager.c
index 5cd27b8396b8..bf4acb4ed583 100644
--- a/profiles/input/manager.c
+++ b/profiles/input/manager.c
@@ -96,7 +96,7 @@ static int input_init(void)
config = load_config_file(CONFIGDIR "/input.conf");
if (config) {
int idle_timeout;
- gboolean uhid_enabled, classic_bonded_only;
+ gboolean uhid_enabled, classic_bonded_only, auto_sec;
idle_timeout = g_key_file_get_integer(config, "General",
"IdleTimeout", &err);
@@ -125,6 +125,15 @@ static int input_init(void)
} else
g_clear_error(&err);
+ auto_sec = g_key_file_get_boolean(config, "General",
+ "LEAutoSecurity", &err);
+ if (!err) {
+ DBG("input.conf: LEAutoSecurity=%s",
+ auto_sec ? "true" : "false");
+ input_set_auto_sec(auto_sec);
+ } else
+ g_clear_error(&err);
+
}
btd_profile_register(&input_profile);
--
2.20.1
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue, 10 Mar 2020 09:59:07 -0700
Subject: input: hog: Attempt to set security level if not bonded
Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=35d8d895cd0b724e58129374beb0bb4a2edf9519
This attempts to set the security if the device is not bonded, the
kernel will block any communication on the ATT socket while bumping
the security and if that fails the device will be disconnected which
is better than having the device dangling around without being able to
communicate with it until it is properly bonded.
---
profiles/input/hog.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/profiles/input/hog.c b/profiles/input/hog.c
index dfac689219a0..f0226ebbd1ba 100644
--- a/profiles/input/hog.c
+++ b/profiles/input/hog.c
@@ -49,6 +49,8 @@
#include "src/shared/util.h"
#include "src/shared/uhid.h"
#include "src/shared/queue.h"
+#include "src/shared/att.h"
+#include "src/shared/gatt-client.h"
#include "src/plugin.h"
#include "suspend.h"
@@ -187,8 +189,15 @@ static int hog_accept(struct btd_service *service)
}
/* HOGP 1.0 Section 6.1 requires bonding */
- if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
- return -ECONNREFUSED;
+ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) {
+ struct bt_gatt_client *client;
+
+ client = btd_device_get_gatt_client(device);
+ if (!bt_gatt_client_set_security(client,
+ BT_ATT_SECURITY_MEDIUM)) {
+ return -ECONNREFUSED;
+ }
+ }
/* TODO: Replace GAttrib with bt_gatt_client */
bt_hog_attach(dev->hog, attrib);
--
2.20.1
......@@ -9,4 +9,8 @@ org.bluez.obex.service.in.patch
Fix-typo.patch
shared-gatt-client-Fix-segfault-after-PIN-entry.patch
main.conf-Add-more-details-Closes-904212.patch
HOGP-must-only-accept-data-from-bonded-devices.patch
HID-accepts-bonded-device-connections-only.patch
input-hog-Attempt-to-set-security-level-if-not-bonde.patch
input-Add-LEAutoSecurity-setting-to-input.conf.patch
set_car_device_class