Blob Blame History Raw
From e962b3260a8baa104b2fc914e8e8974c7b70fcd4 Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Fri, 29 Jun 2018 14:03:29 +0300
Subject: [PATCH] data: tighten sandbox by restricting capabilities

We only need CAP_NET_ADMIN capability for the udev netlink socket
manipulations. All other capabilities can be dropped, reducing
the damage that can be done.
Thanks to Richard Maciel Costa <rcosta@redhat.com> for hi help on
this.
---
 data/bolt.service.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/bolt.service.in b/data/bolt.service.in
index 7cb1dae..5c33d43 100644
--- a/data/bolt.service.in
+++ b/data/bolt.service.in
@@ -18,3 +18,4 @@ RestrictAddressFamilies=AF_NETLINK AF_UNIX
 RestrictRealtime=yes
 ReadWritePaths=@dbdir@
 SystemCallFilter=~@mount
+CapabilityBoundingSet=CAP_NET_ADMIN
-- 
2.17.1