From e4771e68a98d523d61fd4bfd20fc628fdabc2260007af590996b651b3fb8162b Mon Sep 17 00:00:00 2001
From: Stefan Seyfried <seife@novell.slipkontur.de>
Date: Wed, 2 Oct 2019 09:05:02 +0000
Subject: [PATCH] Accepting request 734516 from home:seife:testing

disable mesh service due to security concerns, see boo#1151518

OBS-URL: https://build.opensuse.org/request/show/734516
OBS-URL: https://build.opensuse.org/package/show/Base:System/bluez?expand=0&rev=273
---
 bluez.changes       |  7 +++++++
 bluez.spec          | 25 ++++++++++++++++++++++---
 temporary-rpmlintrc |  1 -
 3 files changed, 29 insertions(+), 4 deletions(-)
 delete mode 100644 temporary-rpmlintrc

diff --git a/bluez.changes b/bluez.changes
index 2b787b0..99ea89b 100644
--- a/bluez.changes
+++ b/bluez.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Oct  2 08:33:56 UTC 2019 - Stefan Seyfried <seife+obs@b1-systems.com>
+
+- disable mesh service due to security concerns, see boo#1151518
+- add README-mesh.SUSE to explain the issue
+- remove no longer necessary temporary-rpmlintrc
+
 -------------------------------------------------------------------
 Fri Sep 20 19:32:43 UTC 2019 - Stefan Seyfried <seife+obs@b1-systems.com>
 
diff --git a/bluez.spec b/bluez.spec
index 1a8c3d3..5967525 100644
--- a/bluez.spec
+++ b/bluez.spec
@@ -218,7 +218,23 @@ cd %{buildroot}%{_libdir}/bluez/test
 chmod 0644 *.py *.xml *.dtd
 
 # fix python shebang
-sed -i -e '1s/env p/p/' %{buildroot}%{_libdir}/bluez/test/example-gatt-{client,server}
+sed -i -e '1s/env p/p/' %{buildroot}%{_libdir}/bluez/test/{example-gatt-{client,server},test-mesh}
+
+# boo#1151518
+mkdir -p %{buildroot}%{_defaultdocdir}/%{name}
+mv %{buildroot}%{_sysconfdir}/dbus-1/system.d/bluetooth-mesh.conf %{buildroot}%{_defaultdocdir}/%{name}
+mv %{buildroot}%{_datadir}/dbus-1/system-services/org.bluez.mesh.service %{buildroot}%{_defaultdocdir}/%{name}
+cat > %{buildroot}%{_defaultdocdir}/%{name}/README-mesh.SUSE << EOF
+The bluetooth-mesh dbus system config has been disabled due to security
+concerns. See https://bugzilla.opensuse.org/show_bug.cgi?id=1151518 for
+details.
+
+If you want to use this feature anyway, copy
+bluetooth-mesh.conf to %{_sysconfdir}/dbus-1/systemd.d/ and
+org.bluez.mesh.service to %{_datadir}/dbus-1/system-services/,
+then reboot.
+EOF
+touch -r %{SOURCE0} %{buildroot}%{_defaultdocdir}/%{name}/README-mesh.SUSE
 
 %check
 %if ! 0%{?qemu_user_space_build}
@@ -254,6 +270,7 @@ make check V=0
 %files
 %defattr(-, root, root)
 %doc AUTHORS ChangeLog README dbus-apis src/main.conf
+%doc %{_defaultdocdir}/%{name}/*
 %license COPYING
 %{_bindir}/bluemoon
 %{_bindir}/btattach
@@ -296,7 +313,8 @@ make check V=0
 %{_mandir}/man1/rfcomm.1%{ext_man}
 %{_mandir}/man1/rctest.1%{ext_man}
 %config %{_sysconfdir}/dbus-1/system.d/bluetooth.conf
-%config %{_sysconfdir}/dbus-1/system.d/bluetooth-mesh.conf
+# not packaged, boo#1151518
+###%%config %%{_sysconfdir}/dbus-1/system.d/bluetooth-mesh.conf
 %dir %{_localstatedir}/lib/bluetooth
 %dir %{_sysconfdir}/modprobe.d
 %config(noreplace) %{_sysconfdir}/modprobe.d/50-bluetooth.conf
@@ -304,7 +322,8 @@ make check V=0
 %{_unitdir}/bluetooth-mesh.service
 %{_datadir}/dbus-1/system-services/org.bluez.service
 %{_datadir}/dbus-1/services/org.bluez.obex.service
-%{_datadir}/dbus-1/system-services/org.bluez.mesh.service
+# not packaged, boo#1151518
+###%%{_datadir}/dbus-1/system-services/org.bluez.mesh.service
 %{_datadir}/zsh/site-functions/_bluetoothctl
 
 %files devel
diff --git a/temporary-rpmlintrc b/temporary-rpmlintrc
deleted file mode 100644
index a70e508..0000000
--- a/temporary-rpmlintrc
+++ /dev/null
@@ -1 +0,0 @@
-setBadness('suse-dbus-unauthorized-service', 100)