2019-09-23 09:03:46 +00:00
|
|
|
From 36a44fc05feebe1aab16c33a1121f952986b2801 Mon Sep 17 00:00:00 2001
|
2017-09-20 11:44:17 +00:00
|
|
|
From: Craig Andrews <candrews@integralblue.com>
|
|
|
|
Date: Wed, 13 Sep 2017 15:23:09 +0200
|
|
|
|
Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
|
|
|
|
|
|
|
|
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
|
|
|
|
namespace. This is useful to secure access to temporary files of the
|
|
|
|
process.
|
|
|
|
|
|
|
|
NoNewPrivileges ensures that service process and all its children
|
|
|
|
can never gain new privileges through execve(), lowering the risk of
|
|
|
|
possible privilege escalations.
|
|
|
|
---
|
|
|
|
src/bluetooth.service.in | 6 ++++++
|
|
|
|
1 file changed, 6 insertions(+)
|
|
|
|
|
|
|
|
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
|
2019-09-20 14:25:44 +00:00
|
|
|
index f9faaa452..7c2f60bb4 100644
|
2017-09-20 11:44:17 +00:00
|
|
|
--- a/src/bluetooth.service.in
|
|
|
|
+++ b/src/bluetooth.service.in
|
|
|
|
@@ -12,8 +12,14 @@ NotifyAccess=main
|
|
|
|
#Restart=on-failure
|
|
|
|
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
|
|
|
|
LimitNPROC=1
|
|
|
|
+
|
|
|
|
+# Filesystem lockdown
|
|
|
|
ProtectHome=true
|
|
|
|
ProtectSystem=full
|
|
|
|
+PrivateTmp=true
|
|
|
|
+
|
|
|
|
+# Privilege escalation
|
|
|
|
+NoNewPrivileges=true
|
|
|
|
|
|
|
|
[Install]
|
|
|
|
WantedBy=bluetooth.target
|
|
|
|
--
|
2019-09-20 14:25:44 +00:00
|
|
|
2.21.0
|
2017-09-20 11:44:17 +00:00
|
|
|
|