rpms / bluez

Clone
Source Code
GIT

Blame SOURCES/0004-systemd-More-lockdown.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   31d1b0fbdb3767fbd2e1c017cf55097135e74d2c
  2.   SOURCES
  3.   0004-systemd-More-lockdown.patch
Blob History Raw
31d1b0 
From a6963e0402695d7b6a89c1b1c75c40dbd8fcde52 Mon Sep 17 00:00:00 2001
31d1b0 
From: Bastien Nocera <hadess@hadess.net>
31d1b0 
Date: Wed, 13 Sep 2017 15:38:26 +0200
31d1b0 
Subject: [PATCH 4/4] systemd: More lockdown
31d1b0
31d1b0 
bluetoothd does not need to execute mapped memory, or real-time
31d1b0 
access, so block those.
31d1b0 
---
31d1b0 
 src/bluetooth.service.in | 6 ++++++
31d1b0 
 1 file changed, 6 insertions(+)
31d1b0
31d1b0 
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
31d1b0 
index 4daedef2a..f18801866 100644
31d1b0 
--- a/src/bluetooth.service.in
31d1b0 
+++ b/src/bluetooth.service.in
31d1b0 
@@ -22,9 +22,15 @@ ProtectControlGroups=true
31d1b0 
 ReadWritePaths=@statedir@
31d1b0 
 ReadOnlyPaths=@confdir@
31d1b0
31d1b0 
+# Execute Mappings
31d1b0 
+MemoryDenyWriteExecute=true
31d1b0 
+
31d1b0 
 # Privilege escalation
31d1b0 
 NoNewPrivileges=true
31d1b0
31d1b0 
+# Real-time
31d1b0 
+RestrictRealtime=true
31d1b0 
+
31d1b0 
 [Install]
31d1b0 
 WantedBy=bluetooth.target
31d1b0 
 Alias=dbus-org.bluez.service
31d1b0 
--
31d1b0 
2.21.0
31d1b0

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation