Tree - rpms/bluez - CentOS Git server

rpms / bluez

Blame SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch

Blob History Raw

		b05691	`From 98826d0717fe831265256f996c9e90d15262bef1 Mon Sep 17 00:00:00 2001`
		b05691	`From: Gopal Tiwari <gtiwari@redhat.com>`
		b05691	`Date: Mon, 8 Jun 2020 19:54:24 +0530`
		b05691	`Subject: [PATCH BlueZ 2/4] systemd: Add PrivateTmp and NoNewPrivileges options`
		b05691
		e0630b	`From 4570164f0c90603bd07eb9e7c07e17bbafb5b5da Mon Sep 17 00:00:00 2001`
		e0630b	`From: Craig Andrews <candrews@integralblue.com>`
		e0630b	`Date: Wed, 13 Sep 2017 15:23:09 +0200`
		b05691
		b05691	`systemd: Add PrivateTmp and NoNewPrivileges options`
		e0630b
		e0630b	`PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different`
		e0630b	`namespace. This is useful to secure access to temporary files of the`
		e0630b	`process.`
		e0630b
		e0630b	`NoNewPrivileges ensures that service process and all its children`
		e0630b	`can never gain new privileges through execve(), lowering the risk of`
		e0630b	`possible privilege escalations.`
		e0630b	`---`
		e0630b	`src/bluetooth.service.in \| 6 ++++++`
		e0630b	`1 file changed, 6 insertions(+)`
		e0630b
		e0630b	`diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in`
		b05691	`index f9faaa452..7c2f60bb4 100644`
		e0630b	`--- a/src/bluetooth.service.in`
		e0630b	`+++ b/src/bluetooth.service.in`
		e0630b	`@@ -12,8 +12,14 @@ NotifyAccess=main`
		e0630b	`#Restart=on-failure`
		e0630b	`CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE`
		e0630b	`LimitNPROC=1`
		e0630b	`+`
		e0630b	`+# Filesystem lockdown`
		e0630b	`ProtectHome=true`
		e0630b	`ProtectSystem=full`
		e0630b	`+PrivateTmp=true`
		e0630b	`+`
		e0630b	`+# Privilege escalation`
		e0630b	`+NoNewPrivileges=true`
		e0630b
		e0630b	`[Install]`
		e0630b	`WantedBy=bluetooth.target`
		e0630b	`--`
		b05691	`2.21.1`
		e0630b

rpms / bluez

Source Code

Blame SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch