2020-11-03 11:50:46 +00:00
|
|
|
From 98826d0717fe831265256f996c9e90d15262bef1 Mon Sep 17 00:00:00 2001
|
|
|
|
From: Gopal Tiwari <gtiwari@redhat.com>
|
|
|
|
Date: Mon, 8 Jun 2020 19:54:24 +0530
|
|
|
|
Subject: [PATCH BlueZ 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
|
|
|
|
|
2019-05-07 10:48:45 +00:00
|
|
|
From 4570164f0c90603bd07eb9e7c07e17bbafb5b5da Mon Sep 17 00:00:00 2001
|
|
|
|
From: Craig Andrews <candrews@integralblue.com>
|
|
|
|
Date: Wed, 13 Sep 2017 15:23:09 +0200
|
2020-11-03 11:50:46 +00:00
|
|
|
|
|
|
|
systemd: Add PrivateTmp and NoNewPrivileges options
|
2019-05-07 10:48:45 +00:00
|
|
|
|
|
|
|
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
|
|
|
|
namespace. This is useful to secure access to temporary files of the
|
|
|
|
process.
|
|
|
|
|
|
|
|
NoNewPrivileges ensures that service process and all its children
|
|
|
|
can never gain new privileges through execve(), lowering the risk of
|
|
|
|
possible privilege escalations.
|
|
|
|
---
|
|
|
|
src/bluetooth.service.in | 6 ++++++
|
|
|
|
1 file changed, 6 insertions(+)
|
|
|
|
|
|
|
|
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
|
2020-11-03 11:50:46 +00:00
|
|
|
index f9faaa452..7c2f60bb4 100644
|
2019-05-07 10:48:45 +00:00
|
|
|
--- a/src/bluetooth.service.in
|
|
|
|
+++ b/src/bluetooth.service.in
|
|
|
|
@@ -12,8 +12,14 @@ NotifyAccess=main
|
|
|
|
#Restart=on-failure
|
|
|
|
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
|
|
|
|
LimitNPROC=1
|
|
|
|
+
|
|
|
|
+# Filesystem lockdown
|
|
|
|
ProtectHome=true
|
|
|
|
ProtectSystem=full
|
|
|
|
+PrivateTmp=true
|
|
|
|
+
|
|
|
|
+# Privilege escalation
|
|
|
|
+NoNewPrivileges=true
|
|
|
|
|
|
|
|
[Install]
|
|
|
|
WantedBy=bluetooth.target
|
|
|
|
--
|
2020-11-03 11:50:46 +00:00
|
|
|
2.21.1
|
2019-05-07 10:48:45 +00:00
|
|
|
|