rpms / bluez

Clone
Source Code
GIT

Blame 0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch

c4 c5 c5-plus c6 c6-plus c7 c8-beta f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f20-gnome-3-12 f21 f22 f23 f24 f25 f26 f27 f28 f29 f9 master rawhide/user/lkundrak/bluez-5.1 rawhide/user/lkundrak/bluez-5.1-1
  1.   b2ac1e07e00cf3c432a1fbe3359be316796036a4
  2.   0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
Blob History Raw
Bastien Nocera f88bf4 
From 4570164f0c90603bd07eb9e7c07e17bbafb5b5da Mon Sep 17 00:00:00 2001
Bastien Nocera f88bf4 
From: Craig Andrews <candrews@integralblue.com>
Bastien Nocera f88bf4 
Date: Wed, 13 Sep 2017 15:23:09 +0200
Bastien Nocera f88bf4 
Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
Bastien Nocera f88bf4
Bastien Nocera f88bf4 
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
Bastien Nocera f88bf4 
namespace. This is useful to secure access to temporary files of the
Bastien Nocera f88bf4 
process.
Bastien Nocera f88bf4
Bastien Nocera f88bf4 
NoNewPrivileges ensures that service process and all its children
Bastien Nocera f88bf4 
can never gain new privileges through execve(), lowering the risk of
Bastien Nocera f88bf4 
possible privilege escalations.
Bastien Nocera f88bf4 
---
Bastien Nocera f88bf4 
 src/bluetooth.service.in | 6 ++++++
Bastien Nocera f88bf4 
 1 file changed, 6 insertions(+)
Bastien Nocera f88bf4
Bastien Nocera f88bf4 
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
Bastien Nocera f88bf4 
index f799f65f0..a6f3030f9 100644
Bastien Nocera f88bf4 
--- a/src/bluetooth.service.in
Bastien Nocera f88bf4 
+++ b/src/bluetooth.service.in
Bastien Nocera f88bf4 
@@ -12,8 +12,14 @@ NotifyAccess=main
Bastien Nocera f88bf4 
 #Restart=on-failure
Bastien Nocera f88bf4 
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
Bastien Nocera f88bf4 
 LimitNPROC=1
Bastien Nocera f88bf4 
+
Bastien Nocera f88bf4 
+# Filesystem lockdown
Bastien Nocera f88bf4 
 ProtectHome=true
Bastien Nocera f88bf4 
 ProtectSystem=full
Bastien Nocera f88bf4 
+PrivateTmp=true
Bastien Nocera f88bf4 
+
Bastien Nocera f88bf4 
+# Privilege escalation
Bastien Nocera f88bf4 
+NoNewPrivileges=true
Bastien Nocera f88bf4
Bastien Nocera f88bf4 
 [Install]
Bastien Nocera f88bf4 
 WantedBy=bluetooth.target
Bastien Nocera f88bf4 
--
Bastien Nocera f88bf4 
2.14.1
Bastien Nocera f88bf4

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation