39 lines
1.1 KiB
Diff
39 lines
1.1 KiB
Diff
|
From 36a44fc05feebe1aab16c33a1121f952986b2801 Mon Sep 17 00:00:00 2001
|
||
|
From: Craig Andrews <candrews@integralblue.com>
|
||
|
Date: Wed, 13 Sep 2017 15:23:09 +0200
|
||
|
Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
|
||
|
|
||
|
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
|
||
|
namespace. This is useful to secure access to temporary files of the
|
||
|
process.
|
||
|
|
||
|
NoNewPrivileges ensures that service process and all its children
|
||
|
can never gain new privileges through execve(), lowering the risk of
|
||
|
possible privilege escalations.
|
||
|
---
|
||
|
src/bluetooth.service.in | 6 ++++++
|
||
|
1 file changed, 6 insertions(+)
|
||
|
|
||
|
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
|
||
|
index f9faaa452..7c2f60bb4 100644
|
||
|
--- a/src/bluetooth.service.in
|
||
|
+++ b/src/bluetooth.service.in
|
||
|
@@ -12,8 +12,14 @@ NotifyAccess=main
|
||
|
#Restart=on-failure
|
||
|
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
|
||
|
LimitNPROC=1
|
||
|
+
|
||
|
+# Filesystem lockdown
|
||
|
ProtectHome=true
|
||
|
ProtectSystem=full
|
||
|
+PrivateTmp=true
|
||
|
+
|
||
|
+# Privilege escalation
|
||
|
+NoNewPrivileges=true
|
||
|
|
||
|
[Install]
|
||
|
WantedBy=bluetooth.target
|
||
|
--
|
||
|
2.21.0
|
||
|
|