You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
38 lines
1.1 KiB
38 lines
1.1 KiB
From 36a44fc05feebe1aab16c33a1121f952986b2801 Mon Sep 17 00:00:00 2001 |
|
From: Craig Andrews <candrews@integralblue.com> |
|
Date: Wed, 13 Sep 2017 15:23:09 +0200 |
|
Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options |
|
|
|
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different |
|
namespace. This is useful to secure access to temporary files of the |
|
process. |
|
|
|
NoNewPrivileges ensures that service process and all its children |
|
can never gain new privileges through execve(), lowering the risk of |
|
possible privilege escalations. |
|
--- |
|
src/bluetooth.service.in | 6 ++++++ |
|
1 file changed, 6 insertions(+) |
|
|
|
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in |
|
index f9faaa452..7c2f60bb4 100644 |
|
--- a/src/bluetooth.service.in |
|
+++ b/src/bluetooth.service.in |
|
@@ -12,8 +12,14 @@ NotifyAccess=main |
|
#Restart=on-failure |
|
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE |
|
LimitNPROC=1 |
|
+ |
|
+# Filesystem lockdown |
|
ProtectHome=true |
|
ProtectSystem=full |
|
+PrivateTmp=true |
|
+ |
|
+# Privilege escalation |
|
+NoNewPrivileges=true |
|
|
|
[Install] |
|
WantedBy=bluetooth.target |
|
-- |
|
2.21.0 |
|
|
|
|