Blame SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch

e0630b
From 4570164f0c90603bd07eb9e7c07e17bbafb5b5da Mon Sep 17 00:00:00 2001
e0630b
From: Craig Andrews <candrews@integralblue.com>
e0630b
Date: Wed, 13 Sep 2017 15:23:09 +0200
e0630b
Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
e0630b
e0630b
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
e0630b
namespace. This is useful to secure access to temporary files of the
e0630b
process.
e0630b
e0630b
NoNewPrivileges ensures that service process and all its children
e0630b
can never gain new privileges through execve(), lowering the risk of
e0630b
possible privilege escalations.
e0630b
---
e0630b
 src/bluetooth.service.in | 6 ++++++
e0630b
 1 file changed, 6 insertions(+)
e0630b
e0630b
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
e0630b
index f799f65f0..a6f3030f9 100644
e0630b
--- a/src/bluetooth.service.in
e0630b
+++ b/src/bluetooth.service.in
e0630b
@@ -12,8 +12,14 @@ NotifyAccess=main
e0630b
 #Restart=on-failure
e0630b
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
e0630b
 LimitNPROC=1
e0630b
+
e0630b
+# Filesystem lockdown
e0630b
 ProtectHome=true
e0630b
 ProtectSystem=full
e0630b
+PrivateTmp=true
e0630b
+
e0630b
+# Privilege escalation
e0630b
+NoNewPrivileges=true
e0630b
 
e0630b
 [Install]
e0630b
 WantedBy=bluetooth.target
e0630b
-- 
e0630b
2.14.1
e0630b