You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
26 lines
842 B
26 lines
842 B
From e962b3260a8baa104b2fc914e8e8974c7b70fcd4 Mon Sep 17 00:00:00 2001 |
|
From: Christian Kellner <christian@kellner.me> |
|
Date: Fri, 29 Jun 2018 14:03:29 +0300 |
|
Subject: [PATCH] data: tighten sandbox by restricting capabilities |
|
|
|
We only need CAP_NET_ADMIN capability for the udev netlink socket |
|
manipulations. All other capabilities can be dropped, reducing |
|
the damage that can be done. |
|
Thanks to Richard Maciel Costa <rcosta@redhat.com> for hi help on |
|
this. |
|
--- |
|
data/bolt.service.in | 1 + |
|
1 file changed, 1 insertion(+) |
|
|
|
diff --git a/data/bolt.service.in b/data/bolt.service.in |
|
index 7cb1dae..5c33d43 100644 |
|
--- a/data/bolt.service.in |
|
+++ b/data/bolt.service.in |
|
@@ -18,3 +18,4 @@ RestrictAddressFamilies=AF_NETLINK AF_UNIX |
|
RestrictRealtime=yes |
|
ReadWritePaths=@dbdir@ |
|
SystemCallFilter=~@mount |
|
+CapabilityBoundingSet=CAP_NET_ADMIN |
|
-- |
|
2.17.1 |
|
|
|
|