bluez/SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch
CentOS Sources 08d7f189ee import bluez-5.52-1.el8
# Conflicts:
#	.bluez.metadata
#	.gitignore
#	SOURCES/0001-build-Always-define-confdir-and-statedir.patch
#	SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
#	SOURCES/0003-systemd-Add-more-filesystem-lockdown.patch
#	SOURCES/0004-systemd-More-lockdown.patch
#	SPECS/bluez.spec
2021-08-31 14:58:34 +00:00

50 lines
1.4 KiB
Diff

From 1da4185a89fba1c14032ab87757e5fb798d76bc0 Mon Sep 17 00:00:00 2001
From: Gopal Tiwari <gtiwari@redhat.com>
Date: Mon, 8 Jun 2020 19:55:39 +0530
Subject: [PATCH BlueZ 3/4] systemd: Add more filesystem lockdown
From 73a9c0902e7c97adf96e735407a75033152c04a9 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Wed, 13 Sep 2017 15:37:11 +0200
systemd: Add more filesystem lockdown
We can only access the configuration file as read-only and read-write
to the Bluetooth cache directory and sub-directories.
---
Makefile.am | 2 ++
src/bluetooth.service.in | 4 ++++
2 files changed, 6 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index cdd2fd8fb..0af1a8c45 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -580,6 +580,8 @@ MAINTAINERCLEANFILES = Makefile.in \
SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
+ -e 's,@statedir\@,$(statedir),g' \
+ -e 's,@confdir\@,$(confdir),g' \
< $< > $@
%.service: %.service.in Makefile
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index 7c2f60bb4..4daedef2a 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -17,6 +17,10 @@ LimitNPROC=1
ProtectHome=true
ProtectSystem=full
PrivateTmp=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ReadWritePaths=@statedir@
+ReadOnlyPaths=@confdir@
# Privilege escalation
NoNewPrivileges=true
--
2.21.1