From e3a903618c278ae69c4e7c59c0c315836a92cf06 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Dec 09 2020 08:46:57 +0000
Subject: 0003-systemd-Add-more-filesystem-lockdown.patch


patch_name: 0003-systemd-Add-more-filesystem-lockdown.patch
present_in_specfile: true
location_in_specfile: 5

---

diff --git a/Makefile.am b/Makefile.am
index 6e77ed9..ea9b1eb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -580,6 +580,8 @@ MAINTAINERCLEANFILES = Makefile.in \
 
 SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
 		$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
+		       -e 's,@statedir\@,$(statedir),g' \
+		       -e 's,@confdir\@,$(confdir),g' \
 		< $< > $@
 
 %.service: %.service.in Makefile
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index 7c2f60b..4daedef 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -17,6 +17,10 @@ LimitNPROC=1
 ProtectHome=true
 ProtectSystem=full
 PrivateTmp=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ReadWritePaths=@statedir@
+ReadOnlyPaths=@confdir@
 
 # Privilege escalation
 NoNewPrivileges=true