|
 |
31d1b0 |
From 13a348670fef0047555395ce6977e86e0005f8bd Mon Sep 17 00:00:00 2001
|
|
|
31d1b0 |
From: Bastien Nocera <hadess@hadess.net>
|
|
|
31d1b0 |
Date: Wed, 13 Sep 2017 15:37:11 +0200
|
|
|
31d1b0 |
Subject: [PATCH 3/4] systemd: Add more filesystem lockdown
|
|
|
31d1b0 |
|
|
|
31d1b0 |
We can only access the configuration file as read-only and read-write
|
|
|
31d1b0 |
to the Bluetooth cache directory and sub-directories.
|
|
|
31d1b0 |
---
|
|
|
31d1b0 |
Makefile.am | 3 +++
|
|
|
31d1b0 |
src/bluetooth.service.in | 4 ++++
|
|
|
31d1b0 |
2 files changed, 7 insertions(+)
|
|
|
31d1b0 |
|
|
|
31d1b0 |
diff --git a/Makefile.am b/Makefile.am
|
|
|
31d1b0 |
index ac88c12e0..0a6d09847 100644
|
|
|
31d1b0 |
--- a/Makefile.am
|
|
|
31d1b0 |
+++ b/Makefile.am
|
|
|
31d1b0 |
@@ -562,6 +562,9 @@ MAINTAINERCLEANFILES = Makefile.in \
|
|
|
31d1b0 |
|
|
|
31d1b0 |
SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
|
|
|
31d1b0 |
$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
|
|
|
31d1b0 |
+ -e 's,@libexecdir\@,$(libexecdir),g' \
|
|
|
31d1b0 |
+ -e 's,@statedir\@,$(statedir),g' \
|
|
|
31d1b0 |
+ -e 's,@confdir\@,$(confdir),g' \
|
|
|
31d1b0 |
< $< > $@
|
|
|
31d1b0 |
|
|
|
31d1b0 |
%.service: %.service.in Makefile
|
|
|
31d1b0 |
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
|
|
|
31d1b0 |
index 7c2f60bb4..4daedef2a 100644
|
|
|
31d1b0 |
--- a/src/bluetooth.service.in
|
|
|
31d1b0 |
+++ b/src/bluetooth.service.in
|
|
|
31d1b0 |
@@ -17,6 +17,10 @@ LimitNPROC=1
|
|
|
31d1b0 |
ProtectHome=true
|
|
|
31d1b0 |
ProtectSystem=full
|
|
|
31d1b0 |
PrivateTmp=true
|
|
|
31d1b0 |
+ProtectKernelTunables=true
|
|
|
31d1b0 |
+ProtectControlGroups=true
|
|
|
31d1b0 |
+ReadWritePaths=@statedir@
|
|
|
31d1b0 |
+ReadOnlyPaths=@confdir@
|
|
|
31d1b0 |
|
|
|
31d1b0 |
# Privilege escalation
|
|
|
31d1b0 |
NoNewPrivileges=true
|
|
|
31d1b0 |
--
|
|
|
31d1b0 |
2.21.0
|
|
|
31d1b0 |
|