You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
34 lines
835 B
34 lines
835 B
From a6963e0402695d7b6a89c1b1c75c40dbd8fcde52 Mon Sep 17 00:00:00 2001 |
|
From: Bastien Nocera <hadess@hadess.net> |
|
Date: Wed, 13 Sep 2017 15:38:26 +0200 |
|
Subject: [PATCH 4/4] systemd: More lockdown |
|
|
|
bluetoothd does not need to execute mapped memory, or real-time |
|
access, so block those. |
|
--- |
|
src/bluetooth.service.in | 6 ++++++ |
|
1 file changed, 6 insertions(+) |
|
|
|
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in |
|
index 4daedef2a..f18801866 100644 |
|
--- a/src/bluetooth.service.in |
|
+++ b/src/bluetooth.service.in |
|
@@ -22,9 +22,15 @@ ProtectControlGroups=true |
|
ReadWritePaths=@statedir@ |
|
ReadOnlyPaths=@confdir@ |
|
|
|
+# Execute Mappings |
|
+MemoryDenyWriteExecute=true |
|
+ |
|
# Privilege escalation |
|
NoNewPrivileges=true |
|
|
|
+# Real-time |
|
+RestrictRealtime=true |
|
+ |
|
[Install] |
|
WantedBy=bluetooth.target |
|
Alias=dbus-org.bluez.service |
|
-- |
|
2.21.0 |
|
|
|
|