* [bluez/bluez] 45fc10: shared/att: don't auto-bond on reactive elevation
@ 2026-07-18 20:25 Philipp Dunkel
0 siblings, 0 replies; only message in thread
From: Philipp Dunkel @ 2026-07-18 20:25 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1130150
Home: https://github.com/bluez/bluez
Commit: 45fc1030b964091e556343571b76be0ca64be664
https://github.com/bluez/bluez/commit/45fc1030b964091e556343571b76be0ca64be664
Author: Philipp Dunkel <pip@pipobscure.com>
Date: 2026-07-18 (Sat, 18 Jul 2026)
Changed paths:
M src/device.c
M src/shared/att.c
M src/shared/att.h
Log Message:
-----------
shared/att: don't auto-bond on reactive elevation
When bluetoothd connects to a freshly discovered LE peer it probes it as
a GATT client through its built-in profiles (battery, mcp, ...). If one
of those reads a characteristic the peer has protected, the peer answers
with Insufficient Authentication (0x05). change_security() reacts to that
error by raising BT_SECURITY on the ATT socket, and on an unbonded LE
link raising security starts SMP pairing.
The result is a bond that nobody asked for: no user, no agent, and no
application requested it. It logs as a device_bonding_complete() bond
with a (nil) requestor, and the user is shown a pairing prompt for a
device that merely came into range and connected. On phones and laptops
that expose authentication-gated GATT characteristics this fires on
essentially every connection.
The existing opt-out cannot prevent it. change_security() only returns
early when chan->sec_level != BT_ATT_SECURITY_AUTO, but
bt_att_chan_set_security() records sec_level solely for BT_ATT_LOCAL
channels. An L2CAP/LE channel keeps its zero-initialised value (AUTO)
for its entire lifetime, so the guard never triggers and the link
always elevates.
Add bt_att_set_no_auto_sec(), a per-bt_att flag that makes
change_security() refuse to elevate. Set it from gatt_client_init() for
any connection that is neither bonded nor in a requested bonding, so a
speculative profile probe that hits an authentication-protected
characteristic fails on the auth error instead of silently pairing.
Devices being bonded via Pair() are unaffected: device->bonding is set
before the connection is established, so gatt_client_init() takes the
existing elevate-for-bonding branch and never sets the flag. Already
bonded devices are unaffected too: they are elevated proactively at
attach time when their LTK is available, and reconnections see
device_is_bonded() and skip the flag.
Tested against Android (Galaxy Z Flip 4), iOS (iPhone) and macOS
(MacBook): each connects and is probed by the built-in profiles with no
unsolicited pairing prompt, while explicit pairing continues to work.
Assisted-by: Claude:Opus-4.8
AI disclosure: this change was developed with the assistance of an AI
model (Claude Opus 4.8). The author reviewed every line. The fix was
built and exercised on real hardware -- against Android (Galaxy Z Flip
4), iOS (iPhone) and macOS (MacBook) peers -- and its behaviour was
observed directly, not inferred.
Commit: 4df3db7680e9da534458880a0b8a778a559a610f
https://github.com/bluez/bluez/commit/4df3db7680e9da534458880a0b8a778a559a610f
Author: Philipp Dunkel <pip@pipobscure.com>
Date: 2026-07-18 (Sat, 18 Jul 2026)
Changed paths:
M unit/test-gatt.c
Log Message:
-----------
unit/test-gatt: cover no-auto-sec on auth error
Add a regression test for bt_att_set_no_auto_sec(). The client reads a
characteristic and the peer answers with Insufficient Authentication
(0x05). Security is armed to BT_ATT_SECURITY_AUTO so a reactive elevation
would normally fire and retry the read, but no_auto_sec is set, so the
error must instead be delivered to the caller with no second request on
the wire.
This is the /auto variant (which does retry after elevating) with the
elevation forbidden. With the flag honoured the read fails once with
0x05; without it the client retries and the test aborts on the
unexpected Read Request, guarding the fix against regression.
Assisted-by: Claude:Opus-4.8
AI disclosure: this change was developed with the assistance of an AI
model (Claude Opus 4.8). The author reviewed every line. The test was
run against the built tree: it passes with patch 1 applied and was
confirmed to fail (client retries, harness aborts) without it.
Compare: https://github.com/bluez/bluez/compare/45fc1030b964%5E...4df3db7680e9
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-07-18 20:25 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-18 20:25 [bluez/bluez] 45fc10: shared/att: don't auto-bond on reactive elevation Philipp Dunkel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.