rpms / bluez

Clone
Source Code
GIT

Blame 0003-systemd-Add-more-filesystem-lockdown.patch

c4 c5 c5-plus c6 c6-plus c7 c8-beta f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f20-gnome-3-12 f21 f22 f23 f24 f25 f26 f27 f28 f29 f9 master rawhide/user/lkundrak/bluez-5.1 rawhide/user/lkundrak/bluez-5.1-1
  1.   b2ac1e07e00cf3c432a1fbe3359be316796036a4
  2.   0003-systemd-Add-more-filesystem-lockdown.patch
Blob History Raw
Bastien Nocera f88bf4 
From 73a9c0902e7c97adf96e735407a75033152c04a9 Mon Sep 17 00:00:00 2001
Bastien Nocera f88bf4 
From: Bastien Nocera <hadess@hadess.net>
Bastien Nocera f88bf4 
Date: Wed, 13 Sep 2017 15:37:11 +0200
Bastien Nocera f88bf4 
Subject: [PATCH 3/4] systemd: Add more filesystem lockdown
Bastien Nocera f88bf4
Bastien Nocera f88bf4 
We can only access the configuration file as read-only and read-write
Bastien Nocera f88bf4 
to the Bluetooth cache directory and sub-directories.
Bastien Nocera f88bf4 
---
Bastien Nocera f88bf4 
 Makefile.am              | 2 ++
Bastien Nocera f88bf4 
 src/bluetooth.service.in | 4 ++++
Bastien Nocera f88bf4 
 2 files changed, 6 insertions(+)
Bastien Nocera f88bf4
Bastien Nocera f88bf4 
diff --git a/Makefile.am b/Makefile.am
Bastien Nocera f88bf4 
index 1c38d94e5..13ccf9079 100644
Bastien Nocera f88bf4 
--- a/Makefile.am
Bastien Nocera f88bf4 
+++ b/Makefile.am
Bastien Nocera f88bf4 
@@ -478,6 +478,8 @@ MAINTAINERCLEANFILES = Makefile.in \
Bastien Nocera f88bf4
Bastien Nocera f88bf4 
 SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
Bastien Nocera f88bf4 
 		$(SED) -e 's,@libexecdir\@,$(libexecdir),g' \
Bastien Nocera f88bf4 
+		       -e 's,@statedir\@,$(statedir),g' \
Bastien Nocera f88bf4 
+		       -e 's,@confdir\@,$(confdir),g' \
Bastien Nocera f88bf4 
 		< $< > $@
Bastien Nocera f88bf4
Bastien Nocera f88bf4 
 %.service: %.service.in Makefile
Bastien Nocera f88bf4 
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
Bastien Nocera f88bf4 
index a6f3030f9..7e55b5043 100644
Bastien Nocera f88bf4 
--- a/src/bluetooth.service.in
Bastien Nocera f88bf4 
+++ b/src/bluetooth.service.in
Bastien Nocera f88bf4 
@@ -17,6 +17,10 @@ LimitNPROC=1
Bastien Nocera f88bf4 
 ProtectHome=true
Bastien Nocera f88bf4 
 ProtectSystem=full
Bastien Nocera f88bf4 
 PrivateTmp=true
Bastien Nocera f88bf4 
+ProtectKernelTunables=true
Bastien Nocera f88bf4 
+ProtectControlGroups=true
Bastien Nocera f88bf4 
+ReadWritePaths=@statedir@
Bastien Nocera f88bf4 
+ReadOnlyPaths=@confdir@
Bastien Nocera f88bf4
Bastien Nocera f88bf4 
 # Privilege escalation
Bastien Nocera f88bf4 
 NoNewPrivileges=true
Bastien Nocera f88bf4 
--
Bastien Nocera f88bf4 
2.14.1
Bastien Nocera f88bf4

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation