Tree - rpms/bluez - CentOS Git server

rpms / bluez

Blame SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch

Blob History Raw

		505b3c	`From 98826d0717fe831265256f996c9e90d15262bef1 Mon Sep 17 00:00:00 2001`
		505b3c	`From: Gopal Tiwari <gtiwari@redhat.com>`
		505b3c	`Date: Mon, 8 Jun 2020 19:54:24 +0530`
		505b3c	`Subject: [PATCH BlueZ 2/4] systemd: Add PrivateTmp and NoNewPrivileges options`
		505b3c
		ab4cc4	`From 4570164f0c90603bd07eb9e7c07e17bbafb5b5da Mon Sep 17 00:00:00 2001`
		ab4cc4	`From: Craig Andrews <candrews@integralblue.com>`
		ab4cc4	`Date: Wed, 13 Sep 2017 15:23:09 +0200`
		505b3c
		505b3c	`systemd: Add PrivateTmp and NoNewPrivileges options`
		ab4cc4
		ab4cc4	`PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different`
		ab4cc4	`namespace. This is useful to secure access to temporary files of the`
		ab4cc4	`process.`
		ab4cc4
		ab4cc4	`NoNewPrivileges ensures that service process and all its children`
		ab4cc4	`can never gain new privileges through execve(), lowering the risk of`
		ab4cc4	`possible privilege escalations.`
		ab4cc4	`---`
		ab4cc4	`src/bluetooth.service.in \| 6 ++++++`
		ab4cc4	`1 file changed, 6 insertions(+)`
		ab4cc4
		ab4cc4	`diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in`
		505b3c	`index f9faaa452..7c2f60bb4 100644`
		ab4cc4	`--- a/src/bluetooth.service.in`
		ab4cc4	`+++ b/src/bluetooth.service.in`
		ab4cc4	`@@ -12,8 +12,14 @@ NotifyAccess=main`
		ab4cc4	`#Restart=on-failure`
		ab4cc4	`CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE`
		ab4cc4	`LimitNPROC=1`
		ab4cc4	`+`
		ab4cc4	`+# Filesystem lockdown`
		ab4cc4	`ProtectHome=true`
		ab4cc4	`ProtectSystem=full`
		ab4cc4	`+PrivateTmp=true`
		ab4cc4	`+`
		ab4cc4	`+# Privilege escalation`
		ab4cc4	`+NoNewPrivileges=true`
		ab4cc4
		ab4cc4	`[Install]`
		ab4cc4	`WantedBy=bluetooth.target`
		ab4cc4	`--`
		505b3c	`2.21.1`
		ab4cc4

rpms / bluez

Source Code

Blame SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch