bluez/SOURCES/0004-systemd-More-lockdown.patch

41 lines
1014 B
Diff
Raw Normal View History

2020-11-03 11:50:46 +00:00
From 9a7872f04cb748e8de743d9136ecd91539d13cb7 Mon Sep 17 00:00:00 2001
From: Gopal Tiwari <gtiwari@redhat.com>
Date: Mon, 8 Jun 2020 19:56:42 +0530
Subject: [PATCH BlueZ 4/4] systemd: More lockdown
2019-05-07 10:48:45 +00:00
From 171d812218883281fed57b57fafd5c18eac441ac Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Wed, 13 Sep 2017 15:38:26 +0200
2020-11-03 11:50:46 +00:00
systemd: More lockdown
2019-05-07 10:48:45 +00:00
bluetoothd does not need to execute mapped memory, or real-time
access, so block those.
---
src/bluetooth.service.in | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
2020-11-03 11:50:46 +00:00
index 4daedef2a..f18801866 100644
2019-05-07 10:48:45 +00:00
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -22,9 +22,15 @@ ProtectControlGroups=true
ReadWritePaths=@statedir@
ReadOnlyPaths=@confdir@
+# Execute Mappings
+MemoryDenyWriteExecute=true
+
# Privilege escalation
NoNewPrivileges=true
+# Real-time
+RestrictRealtime=true
+
[Install]
WantedBy=bluetooth.target
Alias=dbus-org.bluez.service
--
2020-11-03 11:50:46 +00:00
2.21.1
2019-05-07 10:48:45 +00:00