2019-09-20 14:25:44 +00:00
|
|
|
From 5a65aa9b9d4035f94cee1016a256cec017a42aad Mon Sep 17 00:00:00 2001
|
|
|
|
|
From: Peter Robinson <pbrobinson@gmail.com>
|
|
|
|
|
Date: Fri, 20 Sep 2019 14:55:28 +0100
|
2017-09-20 11:44:17 +00:00
|
|
|
Subject: [PATCH 3/4] systemd: Add more filesystem lockdown
|
|
|
|
|
|
|
|
|
|
We can only access the configuration file as read-only and read-write
|
|
|
|
|
to the Bluetooth cache directory and sub-directories.
|
|
|
|
|
---
|
|
|
|
|
Makefile.am | 2 ++
|
|
|
|
|
src/bluetooth.service.in | 4 ++++
|
|
|
|
|
2 files changed, 6 insertions(+)
|
|
|
|
|
|
|
|
|
|
diff --git a/Makefile.am b/Makefile.am
|
2019-09-20 14:25:44 +00:00
|
|
|
index 033faf3bf..f6347a14b 100644
|
2017-09-20 11:44:17 +00:00
|
|
|
--- a/Makefile.am
|
|
|
|
|
+++ b/Makefile.am
|
2019-09-20 14:25:44 +00:00
|
|
|
@@ -563,6 +563,8 @@ MAINTAINERCLEANFILES = Makefile.in \
|
2017-09-20 11:44:17 +00:00
|
|
|
|
|
|
|
|
SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
|
2019-09-20 14:25:44 +00:00
|
|
|
$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
|
|
|
|
|
+ -e 's,@statedir\@,$(statedir),g' \
|
|
|
|
|
+ -e 's,@confdir\@,$(confdir),g' \
|
2017-09-20 11:44:17 +00:00
|
|
|
< $< > $@
|
|
|
|
|
|
|
|
|
|
%.service: %.service.in Makefile
|
|
|
|
|
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
|
2019-09-20 14:25:44 +00:00
|
|
|
index 7c2f60bb4..4daedef2a 100644
|
2017-09-20 11:44:17 +00:00
|
|
|
--- a/src/bluetooth.service.in
|
|
|
|
|
+++ b/src/bluetooth.service.in
|
|
|
|
|
@@ -17,6 +17,10 @@ LimitNPROC=1
|
|
|
|
|
ProtectHome=true
|
|
|
|
|
ProtectSystem=full
|
|
|
|
|
PrivateTmp=true
|
|
|
|
|
+ProtectKernelTunables=true
|
|
|
|
|
+ProtectControlGroups=true
|
|
|
|
|
+ReadWritePaths=@statedir@
|
|
|
|
|
+ReadOnlyPaths=@confdir@
|
|
|
|
|
|
|
|
|
|
# Privilege escalation
|
|
|
|
|
NoNewPrivileges=true
|
|
|
|
|
--
|
2019-09-20 14:25:44 +00:00
|
|
|
2.21.0
|
2017-09-20 11:44:17 +00:00
|
|
|
|
