diff --git a/0001-build-Always-define-confdir-and-statedir.patch b/0001-build-Always-define-confdir-and-statedir.patch index 2af8f18..35f64e4 100644 --- a/0001-build-Always-define-confdir-and-statedir.patch +++ b/0001-build-Always-define-confdir-and-statedir.patch @@ -1,18 +1,18 @@ -From d0c73c6ce1ab9dc21f6a94be70475c90068e4acc Mon Sep 17 00:00:00 2001 -From: Peter Robinson -Date: Fri, 20 Sep 2019 14:53:03 +0100 +From 5744f79d84ecee3929a682166034c5bbc36c0ef5 Mon Sep 17 00:00:00 2001 +From: Bastien Nocera +Date: Wed, 20 Sep 2017 12:49:10 +0200 Subject: [PATCH 1/4] build: Always define confdir and statedir As we will need those paths to lock down on them. --- - Makefile.am | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) + Makefile.am | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile.am b/Makefile.am -index 404e6a460..033faf3bf 100644 +index 9d25a815b..ac88c12e0 100644 --- a/Makefile.am +++ b/Makefile.am -@@ -31,14 +31,15 @@ pkginclude_HEADERS = +@@ -31,14 +31,14 @@ pkginclude_HEADERS = AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS) $(UDEV_CFLAGS) $(ell_cflags) AM_LDFLAGS = $(MISC_LDFLAGS) @@ -25,7 +25,7 @@ index 404e6a460..033faf3bf 100644 -confdir = $(sysconfdir)/bluetooth conf_DATA = - +- -statedir = $(localstatedir)/lib/bluetooth state_DATA = endif diff --git a/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch b/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch index b90a692..d6dff2a 100644 --- a/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch +++ b/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch @@ -1,4 +1,4 @@ -From 4e027d3c019846e216c6f76496d71c89f063ed59 Mon Sep 17 00:00:00 2001 +From 36a44fc05feebe1aab16c33a1121f952986b2801 Mon Sep 17 00:00:00 2001 From: Craig Andrews Date: Wed, 13 Sep 2017 15:23:09 +0200 Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options diff --git a/0003-systemd-Add-more-filesystem-lockdown.patch b/0003-systemd-Add-more-filesystem-lockdown.patch index 33b3928..d3d6dd4 100644 --- a/0003-systemd-Add-more-filesystem-lockdown.patch +++ b/0003-systemd-Add-more-filesystem-lockdown.patch @@ -1,25 +1,26 @@ -From 5a65aa9b9d4035f94cee1016a256cec017a42aad Mon Sep 17 00:00:00 2001 -From: Peter Robinson -Date: Fri, 20 Sep 2019 14:55:28 +0100 +From 13a348670fef0047555395ce6977e86e0005f8bd Mon Sep 17 00:00:00 2001 +From: Bastien Nocera +Date: Wed, 13 Sep 2017 15:37:11 +0200 Subject: [PATCH 3/4] systemd: Add more filesystem lockdown We can only access the configuration file as read-only and read-write to the Bluetooth cache directory and sub-directories. --- - Makefile.am | 2 ++ + Makefile.am | 3 +++ src/bluetooth.service.in | 4 ++++ - 2 files changed, 6 insertions(+) + 2 files changed, 7 insertions(+) diff --git a/Makefile.am b/Makefile.am -index 033faf3bf..f6347a14b 100644 +index ac88c12e0..0a6d09847 100644 --- a/Makefile.am +++ b/Makefile.am -@@ -563,6 +563,8 @@ MAINTAINERCLEANFILES = Makefile.in \ +@@ -562,6 +562,9 @@ MAINTAINERCLEANFILES = Makefile.in \ SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \ $(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \ -+ -e 's,@statedir\@,$(statedir),g' \ -+ -e 's,@confdir\@,$(confdir),g' \ ++ -e 's,@libexecdir\@,$(libexecdir),g' \ ++ -e 's,@statedir\@,$(statedir),g' \ ++ -e 's,@confdir\@,$(confdir),g' \ < $< > $@ %.service: %.service.in Makefile diff --git a/0004-systemd-More-lockdown.patch b/0004-systemd-More-lockdown.patch index f4afda0..4f9c218 100644 --- a/0004-systemd-More-lockdown.patch +++ b/0004-systemd-More-lockdown.patch @@ -1,4 +1,4 @@ -From b3ba84d0327cdda5621f3b4bde7d4cfa496d7c4a Mon Sep 17 00:00:00 2001 +From a6963e0402695d7b6a89c1b1c75c40dbd8fcde52 Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Wed, 13 Sep 2017 15:38:26 +0200 Subject: [PATCH 4/4] systemd: More lockdown