08d7f189ee
# Conflicts: # .bluez.metadata # .gitignore # SOURCES/0001-build-Always-define-confdir-and-statedir.patch # SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch # SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch # SOURCES/0004-systemd-More-lockdown.patch # SPECS/bluez.spec
50 lines
1.4 KiB
Diff
50 lines
1.4 KiB
Diff
From 1da4185a89fba1c14032ab87757e5fb798d76bc0 Mon Sep 17 00:00:00 2001
|
|
From: Gopal Tiwari <gtiwari@redhat.com>
|
|
Date: Mon, 8 Jun 2020 19:55:39 +0530
|
|
Subject: [PATCH BlueZ 3/4] systemd: Add more filesystem lockdown
|
|
|
|
From 73a9c0902e7c97adf96e735407a75033152c04a9 Mon Sep 17 00:00:00 2001
|
|
From: Bastien Nocera <hadess@hadess.net>
|
|
Date: Wed, 13 Sep 2017 15:37:11 +0200
|
|
|
|
systemd: Add more filesystem lockdown
|
|
|
|
We can only access the configuration file as read-only and read-write
|
|
to the Bluetooth cache directory and sub-directories.
|
|
---
|
|
Makefile.am | 2 ++
|
|
src/bluetooth.service.in | 4 ++++
|
|
2 files changed, 6 insertions(+)
|
|
|
|
diff --git a/Makefile.am b/Makefile.am
|
|
index cdd2fd8fb..0af1a8c45 100644
|
|
--- a/Makefile.am
|
|
+++ b/Makefile.am
|
|
@@ -580,6 +580,8 @@ MAINTAINERCLEANFILES = Makefile.in \
|
|
|
|
SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
|
|
$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
|
|
+ -e 's,@statedir\@,$(statedir),g' \
|
|
+ -e 's,@confdir\@,$(confdir),g' \
|
|
< $< > $@
|
|
|
|
%.service: %.service.in Makefile
|
|
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
|
|
index 7c2f60bb4..4daedef2a 100644
|
|
--- a/src/bluetooth.service.in
|
|
+++ b/src/bluetooth.service.in
|
|
@@ -17,6 +17,10 @@ LimitNPROC=1
|
|
ProtectHome=true
|
|
ProtectSystem=full
|
|
PrivateTmp=true
|
|
+ProtectKernelTunables=true
|
|
+ProtectControlGroups=true
|
|
+ReadWritePaths=@statedir@
|
|
+ReadOnlyPaths=@confdir@
|
|
|
|
# Privilege escalation
|
|
NoNewPrivileges=true
|
|
--
|
|
2.21.1
|
|
|