rpms / bluez

Clone
Source Code
GIT

Blame SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   e0630b7f3236bd8d786b885d6e1416fb3c78231a
  2.   SOURCES
  3.   0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
Blob History Raw
e0630b 
From 4570164f0c90603bd07eb9e7c07e17bbafb5b5da Mon Sep 17 00:00:00 2001
e0630b 
From: Craig Andrews <candrews@integralblue.com>
e0630b 
Date: Wed, 13 Sep 2017 15:23:09 +0200
e0630b 
Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
e0630b
e0630b 
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
e0630b 
namespace. This is useful to secure access to temporary files of the
e0630b 
process.
e0630b
e0630b 
NoNewPrivileges ensures that service process and all its children
e0630b 
can never gain new privileges through execve(), lowering the risk of
e0630b 
possible privilege escalations.
e0630b 
---
e0630b 
 src/bluetooth.service.in | 6 ++++++
e0630b 
 1 file changed, 6 insertions(+)
e0630b
e0630b 
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
e0630b 
index f799f65f0..a6f3030f9 100644
e0630b 
--- a/src/bluetooth.service.in
e0630b 
+++ b/src/bluetooth.service.in
e0630b 
@@ -12,8 +12,14 @@ NotifyAccess=main
e0630b 
 #Restart=on-failure
e0630b 
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
e0630b 
 LimitNPROC=1
e0630b 
+
e0630b 
+# Filesystem lockdown
e0630b 
 ProtectHome=true
e0630b 
 ProtectSystem=full
e0630b 
+PrivateTmp=true
e0630b 
+
e0630b 
+# Privilege escalation
e0630b 
+NoNewPrivileges=true
e0630b
e0630b 
 [Install]
e0630b 
 WantedBy=bluetooth.target
e0630b 
--
e0630b 
2.14.1
e0630b

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation