diff mbox series

[3/4] systemd: Add more filesystem lockdown

Message ID 20220126113638.1706785-3-hadess@hadess.net (mailing list archive)
State Accepted
Delegated to: Luiz Von Dentz
Headers show
Series [1/4] build: Always define confdir and statedir | expand

Checks

Context Check Description
tedd_an/checkpatch success Checkpatch PASS
tedd_an/gitlint success Gitlint PASS

Commit Message

Bastien Nocera Jan. 26, 2022, 11:36 a.m. UTC 
We can only access the configuration file as read-only and read-write
to the Bluetooth cache directory and sub-directories.
---
 Makefile.am              | 3 +++
 src/bluetooth.service.in | 4 ++++
 2 files changed, 7 insertions(+)
diff mbox series

Patch

diff --git a/Makefile.am b/Makefile.am
index 2ba25e687..82125c482 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -622,6 +622,9 @@  MAINTAINERCLEANFILES = Makefile.in \
 
 SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
 		$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
+		       -e 's,@libexecdir\@,$(libexecdir),g' \
+		       -e 's,@statedir\@,$(statedir),g' \
+		       -e 's,@confdir\@,$(confdir),g' \
 		< $< > $@
 
 if RUN_RST2MAN
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index 7c2f60bb4..4daedef2a 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -17,6 +17,10 @@  LimitNPROC=1
 ProtectHome=true
 ProtectSystem=full
 PrivateTmp=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ReadWritePaths=@statedir@
+ReadOnlyPaths=@confdir@
 
 # Privilege escalation
 NoNewPrivileges=true