base/SOURCES/restricting-capabilities.patch

From e962b3260a8baa104b2fc914e8e8974c7b70fcd4 Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Fri, 29 Jun 2018 14:03:29 +0300
Subject: [PATCH] data: tighten sandbox by restricting capabilities

We only need CAP_NET_ADMIN capability for the udev netlink socket
manipulations. All other capabilities can be dropped, reducing
the damage that can be done.
Thanks to Richard Maciel Costa <rcosta@redhat.com> for hi help on
this.
---
 data/bolt.service.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/bolt.service.in b/data/bolt.service.in
index 7cb1dae..5c33d43 100644
--- a/data/bolt.service.in
+++ b/data/bolt.service.in
@@ -18,3 +18,4 @@ RestrictAddressFamilies=AF_NETLINK AF_UNIX
 RestrictRealtime=yes
 ReadWritePaths=@dbdir@
 SystemCallFilter=~@mount
+CapabilityBoundingSet=CAP_NET_ADMIN
-- 
2.17.1
bolt package creation Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org> 6 years ago			`From e962b3260a8baa104b2fc914e8e8974c7b70fcd4 Mon Sep 17 00:00:00 2001`
			`From: Christian Kellner <christian@kellner.me>`
			`Date: Fri, 29 Jun 2018 14:03:29 +0300`
			`Subject: [PATCH] data: tighten sandbox by restricting capabilities`

			`We only need CAP_NET_ADMIN capability for the udev netlink socket`
			`manipulations. All other capabilities can be dropped, reducing`
			`the damage that can be done.`
			`Thanks to Richard Maciel Costa <rcosta@redhat.com> for hi help on`
			`this.`
			`---`
			`data/bolt.service.in \| 1 +`
			`1 file changed, 1 insertion(+)`

			`diff --git a/data/bolt.service.in b/data/bolt.service.in`
			`index 7cb1dae..5c33d43 100644`
			`--- a/data/bolt.service.in`
			`+++ b/data/bolt.service.in`
			`@@ -18,3 +18,4 @@ RestrictAddressFamilies=AF_NETLINK AF_UNIX`
			`RestrictRealtime=yes`
			`ReadWritePaths=@dbdir@`
			`SystemCallFilter=~@mount`
			`+CapabilityBoundingSet=CAP_NET_ADMIN`
			`--`
			`2.17.1`