You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
44 lines
1.3 KiB
44 lines
1.3 KiB
From 13a348670fef0047555395ce6977e86e0005f8bd Mon Sep 17 00:00:00 2001 |
|
From: Bastien Nocera <hadess@hadess.net> |
|
Date: Wed, 13 Sep 2017 15:37:11 +0200 |
|
Subject: [PATCH 3/4] systemd: Add more filesystem lockdown |
|
|
|
We can only access the configuration file as read-only and read-write |
|
to the Bluetooth cache directory and sub-directories. |
|
--- |
|
Makefile.am | 3 +++ |
|
src/bluetooth.service.in | 4 ++++ |
|
2 files changed, 7 insertions(+) |
|
|
|
diff --git a/Makefile.am b/Makefile.am |
|
index ac88c12e0..0a6d09847 100644 |
|
--- a/Makefile.am |
|
+++ b/Makefile.am |
|
@@ -562,6 +562,9 @@ MAINTAINERCLEANFILES = Makefile.in \ |
|
|
|
SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \ |
|
$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \ |
|
+ -e 's,@libexecdir\@,$(libexecdir),g' \ |
|
+ -e 's,@statedir\@,$(statedir),g' \ |
|
+ -e 's,@confdir\@,$(confdir),g' \ |
|
< $< > $@ |
|
|
|
%.service: %.service.in Makefile |
|
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in |
|
index 7c2f60bb4..4daedef2a 100644 |
|
--- a/src/bluetooth.service.in |
|
+++ b/src/bluetooth.service.in |
|
@@ -17,6 +17,10 @@ LimitNPROC=1 |
|
ProtectHome=true |
|
ProtectSystem=full |
|
PrivateTmp=true |
|
+ProtectKernelTunables=true |
|
+ProtectControlGroups=true |
|
+ReadWritePaths=@statedir@ |
|
+ReadOnlyPaths=@confdir@ |
|
|
|
# Privilege escalation |
|
NoNewPrivileges=true |
|
-- |
|
2.21.0 |
|
|
|
|