From owner-svn-src-head@freebsd.org Wed Nov 1 18:58:55 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7D28AE626AC; Wed, 1 Nov 2017 18:58:55 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3E1FF7DED6; Wed, 1 Nov 2017 18:58:55 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vA1Iwsqm064366; Wed, 1 Nov 2017 18:58:54 GMT (envelope-from cem@FreeBSD.org) Received: (from cem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vA1Iws0K064364; Wed, 1 Nov 2017 18:58:54 GMT (envelope-from cem@FreeBSD.org) Message-Id: <201711011858.vA1Iws0K064364@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: cem set sender to cem@FreeBSD.org using -f From: Conrad Meyer Date: Wed, 1 Nov 2017 18:58:54 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r325287 - in head/etc: defaults rc.d X-SVN-Group: head X-SVN-Commit-Author: cem X-SVN-Commit-Paths: in head/etc: defaults rc.d X-SVN-Commit-Revision: 325287 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Nov 2017 18:58:55 -0000 Author: cem Date: Wed Nov 1 18:58:54 2017 New Revision: 325287 URL: https://svnweb.freebsd.org/changeset/base/325287 Log: bluetooth: Default to discoverable off Try to not expose bluetooth devices to external devices unless the user explicitly configures it, like any other radio/network device. Bluetooth has a long history of security problems and it is probably best to keep it disabled if not needed. Users who do use the bluetooth device should enable "discoverable" in bluetooth.device.conf(5) after this change. Keep in mind that bluetooth addresses can be discovered by passive monitoring or whole address-space scans[0], so a safety conscious user should also disable "connectable" in bluetooth.device.conf(5). [0]: https://www.sans.edu/cyber-research/security-laboratory/article/bluetooth Reviewed by: emax, hselasky Security: maybe Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D12831 Modified: head/etc/defaults/bluetooth.device.conf head/etc/rc.d/bluetooth Modified: head/etc/defaults/bluetooth.device.conf ============================================================================== --- head/etc/defaults/bluetooth.device.conf Wed Nov 1 18:49:45 2017 (r325286) +++ head/etc/defaults/bluetooth.device.conf Wed Nov 1 18:58:54 2017 (r325287) @@ -65,7 +65,7 @@ # NO or 0 do not scan for inquiry requests; # YES or 1 scan for inquiry requests (default). -# discoverable="YES" +# discoverable="NO" # The encryption_mode parameter controls if the device requires encryption # to the remote device at connection setup. At connection setup, only the Modified: head/etc/rc.d/bluetooth ============================================================================== --- head/etc/rc.d/bluetooth Wed Nov 1 18:49:45 2017 (r325286) +++ head/etc/rc.d/bluetooth Wed Nov 1 18:58:54 2017 (r325287) @@ -287,7 +287,7 @@ bluetooth_start() bluetooth_device_authentication_enable="0" bluetooth_device_class="ff:01:0c" bluetooth_device_connectable="1" - bluetooth_device_discoverable="1" + bluetooth_device_discoverable="0" bluetooth_device_encryption_mode="0" bluetooth_device_hci_debug_level="3" bluetooth_device_l2cap_debug_level="3"