rpms / bluez

Clone
Source Code
GIT

Blame SOURCES/0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   f7c1a3cadffa2ab2f4166dd2b700797525a91584
  2.   SOURCES
  3.   0002-systemd-Add-PrivateTmp-and-NoNewPrivileges-options.patch
Blob History Raw
1835d6 
From 98826d0717fe831265256f996c9e90d15262bef1 Mon Sep 17 00:00:00 2001
1835d6 
From: Gopal Tiwari <gtiwari@redhat.com>
1835d6 
Date: Mon, 8 Jun 2020 19:54:24 +0530
1835d6 
Subject: [PATCH BlueZ 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
1835d6
d15ffa 
From 4570164f0c90603bd07eb9e7c07e17bbafb5b5da Mon Sep 17 00:00:00 2001
d15ffa 
From: Craig Andrews <candrews@integralblue.com>
d15ffa 
Date: Wed, 13 Sep 2017 15:23:09 +0200
1835d6
1835d6 
systemd: Add PrivateTmp and NoNewPrivileges options
d15ffa
d15ffa 
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
d15ffa 
namespace. This is useful to secure access to temporary files of the
d15ffa 
process.
d15ffa
d15ffa 
NoNewPrivileges ensures that service process and all its children
d15ffa 
can never gain new privileges through execve(), lowering the risk of
d15ffa 
possible privilege escalations.
d15ffa 
---
d15ffa 
 src/bluetooth.service.in | 6 ++++++
d15ffa 
 1 file changed, 6 insertions(+)
d15ffa
d15ffa 
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
1835d6 
index f9faaa452..7c2f60bb4 100644
d15ffa 
--- a/src/bluetooth.service.in
d15ffa 
+++ b/src/bluetooth.service.in
d15ffa 
@@ -12,8 +12,14 @@ NotifyAccess=main
d15ffa 
 #Restart=on-failure
d15ffa 
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
d15ffa 
 LimitNPROC=1
d15ffa 
+
d15ffa 
+# Filesystem lockdown
d15ffa 
 ProtectHome=true
d15ffa 
 ProtectSystem=full
d15ffa 
+PrivateTmp=true
d15ffa 
+
d15ffa 
+# Privilege escalation
d15ffa 
+NoNewPrivileges=true
d15ffa
d15ffa 
 [Install]
d15ffa 
 WantedBy=bluetooth.target
d15ffa 
--
1835d6 
2.21.1
d15ffa

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation