2020-11-03 11:50:46 +00:00
|
|
|
From 9a7872f04cb748e8de743d9136ecd91539d13cb7 Mon Sep 17 00:00:00 2001
|
|
|
|
From: Gopal Tiwari <gtiwari@redhat.com>
|
|
|
|
Date: Mon, 8 Jun 2020 19:56:42 +0530
|
|
|
|
Subject: [PATCH BlueZ 4/4] systemd: More lockdown
|
|
|
|
|
2019-05-07 10:48:45 +00:00
|
|
|
From 171d812218883281fed57b57fafd5c18eac441ac Mon Sep 17 00:00:00 2001
|
|
|
|
From: Bastien Nocera <hadess@hadess.net>
|
|
|
|
Date: Wed, 13 Sep 2017 15:38:26 +0200
|
2020-11-03 11:50:46 +00:00
|
|
|
|
|
|
|
systemd: More lockdown
|
2019-05-07 10:48:45 +00:00
|
|
|
|
|
|
|
bluetoothd does not need to execute mapped memory, or real-time
|
|
|
|
access, so block those.
|
|
|
|
---
|
|
|
|
src/bluetooth.service.in | 6 ++++++
|
|
|
|
1 file changed, 6 insertions(+)
|
|
|
|
|
|
|
|
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
|
2020-11-03 11:50:46 +00:00
|
|
|
index 4daedef2a..f18801866 100644
|
2019-05-07 10:48:45 +00:00
|
|
|
--- a/src/bluetooth.service.in
|
|
|
|
+++ b/src/bluetooth.service.in
|
|
|
|
@@ -22,9 +22,15 @@ ProtectControlGroups=true
|
|
|
|
ReadWritePaths=@statedir@
|
|
|
|
ReadOnlyPaths=@confdir@
|
|
|
|
|
|
|
|
+# Execute Mappings
|
|
|
|
+MemoryDenyWriteExecute=true
|
|
|
|
+
|
|
|
|
# Privilege escalation
|
|
|
|
NoNewPrivileges=true
|
|
|
|
|
|
|
|
+# Real-time
|
|
|
|
+RestrictRealtime=true
|
|
|
|
+
|
|
|
|
[Install]
|
|
|
|
WantedBy=bluetooth.target
|
|
|
|
Alias=dbus-org.bluez.service
|
|
|
|
--
|
2020-11-03 11:50:46 +00:00
|
|
|
2.21.1
|
2019-05-07 10:48:45 +00:00
|
|
|
|