From 13a348670fef0047555395ce6977e86e0005f8bd Mon Sep 17 00:00:00 2001

From: Bastien Nocera <hadess@hadess.net>

Date: Wed, 13 Sep 2017 15:37:11 +0200

Subject: [PATCH 3/4] systemd: Add more filesystem lockdown

We can only access the configuration file as read-only and read-write

to the Bluetooth cache directory and sub-directories.

---

 Makefile.am              | 3 +++

 src/bluetooth.service.in | 4 ++++

 2 files changed, 7 insertions(+)

diff --git a/Makefile.am b/Makefile.am

index ac88c12e0..0a6d09847 100644

--- a/Makefile.am

+++ b/Makefile.am

@@ -617,6 +617,9 @@

 SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \

 		$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \

+		       -e 's,@libexecdir\@,$(libexecdir),g' \

+		       -e 's,@statedir\@,$(statedir),g' \

+		       -e 's,@confdir\@,$(confdir),g' \

 		< $< > $@

 if RUN_RST2MAN

diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in

index 7c2f60bb4..4daedef2a 100644

--- a/src/bluetooth.service.in

+++ b/src/bluetooth.service.in

@@ -17,6 +17,10 @@ LimitNPROC=1

 ProtectHome=true

 ProtectSystem=full

 PrivateTmp=true

+ProtectKernelTunables=true

+ProtectControlGroups=true

+ReadWritePaths=@statedir@

+ReadOnlyPaths=@confdir@

 # Privilege escalation

 NoNewPrivileges=true

-- 

2.21.0