From e962b3260a8baa104b2fc914e8e8974c7b70fcd4 Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Fri, 29 Jun 2018 14:03:29 +0300
Subject: [PATCH] data: tighten sandbox by restricting capabilities
We only need CAP_NET_ADMIN capability for the udev netlink socket
manipulations. All other capabilities can be dropped, reducing
the damage that can be done.
Thanks to Richard Maciel Costa <rcosta@redhat.com> for hi help on
this.
---
data/bolt.service.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/data/bolt.service.in b/data/bolt.service.in
index 7cb1dae..5c33d43 100644
--- a/data/bolt.service.in
+++ b/data/bolt.service.in
@@ -18,3 +18,4 @@ RestrictAddressFamilies=AF_NETLINK AF_UNIX
RestrictRealtime=yes
ReadWritePaths=@dbdir@
SystemCallFilter=~@mount
+CapabilityBoundingSet=CAP_NET_ADMIN
--
2.17.1