From 1da4185a89fba1c14032ab87757e5fb798d76bc0 Mon Sep 17 00:00:00 2001

From: Gopal Tiwari <gtiwari@redhat.com>

Date: Mon, 8 Jun 2020 19:55:39 +0530

Subject: [PATCH BlueZ 3/4] systemd: Add more filesystem lockdown

From 73a9c0902e7c97adf96e735407a75033152c04a9 Mon Sep 17 00:00:00 2001

From: Bastien Nocera <hadess@hadess.net>

Date: Wed, 13 Sep 2017 15:37:11 +0200

systemd: Add more filesystem lockdown

We can only access the configuration file as read-only and read-write

to the Bluetooth cache directory and sub-directories.

---

 Makefile.am              | 2 ++

 src/bluetooth.service.in | 4 ++++

 2 files changed, 6 insertions(+)

diff --git a/Makefile.am b/Makefile.am

index cdd2fd8fb..0af1a8c45 100644

--- a/Makefile.am

+++ b/Makefile.am

@@ -580,6 +580,8 @@ MAINTAINERCLEANFILES = Makefile.in \

 SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \

 		$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \

+		       -e 's,@statedir\@,$(statedir),g' \

+		       -e 's,@confdir\@,$(confdir),g' \

 		< $< > $@

 %.service: %.service.in Makefile

diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in

index 7c2f60bb4..4daedef2a 100644

--- a/src/bluetooth.service.in

+++ b/src/bluetooth.service.in

@@ -17,6 +17,10 @@ LimitNPROC=1

 ProtectHome=true

 ProtectSystem=full

 PrivateTmp=true

+ProtectKernelTunables=true

+ProtectControlGroups=true

+ReadWritePaths=@statedir@

+ReadOnlyPaths=@confdir@

 # Privilege escalation

 NoNewPrivileges=true

-- 

2.21.1