rpms / bluez

Clone
Source Code
GIT

Blame SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   ee2351eb0d2221544354ec0f127fa29406cbe916
  2.   SOURCES
  3.   0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
Blob History Raw
ee2351 
From 36a44fc05feebe1aab16c33a1121f952986b2801 Mon Sep 17 00:00:00 2001
ee2351 
From: Craig Andrews <candrews@integralblue.com>
ee2351 
Date: Wed, 13 Sep 2017 15:23:09 +0200
ee2351 
Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
ee2351
ee2351 
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
ee2351 
namespace. This is useful to secure access to temporary files of the
ee2351 
process.
ee2351
ee2351 
NoNewPrivileges ensures that service process and all its children
ee2351 
can never gain new privileges through execve(), lowering the risk of
ee2351 
possible privilege escalations.
ee2351 
---
ee2351 
 src/bluetooth.service.in | 6 ++++++
ee2351 
 1 file changed, 6 insertions(+)
ee2351
ee2351 
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
ee2351 
index f9faaa452..7c2f60bb4 100644
ee2351 
--- a/src/bluetooth.service.in
ee2351 
+++ b/src/bluetooth.service.in
ee2351 
@@ -12,8 +12,14 @@ NotifyAccess=main
ee2351 
 #Restart=on-failure
ee2351 
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
ee2351 
 LimitNPROC=1
ee2351 
+
ee2351 
+# Filesystem lockdown
ee2351 
 ProtectHome=true
ee2351 
 ProtectSystem=full
ee2351 
+PrivateTmp=true
ee2351 
+
ee2351 
+# Privilege escalation
ee2351 
+NoNewPrivileges=true
ee2351
ee2351 
 [Install]
ee2351 
 WantedBy=bluetooth.target
ee2351 
--
ee2351 
2.21.0
ee2351

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation