From patchwork Wed Jan 26 11:36:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 12724964 X-Patchwork-Delegate: luiz.dentz@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 26E30C28CF5 for ; Wed, 26 Jan 2022 11:36:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233806AbiAZLgz (ORCPT ); Wed, 26 Jan 2022 06:36:55 -0500 Received: from relay8-d.mail.gandi.net ([217.70.183.201]:41603 "EHLO relay8-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233725AbiAZLgo (ORCPT ); Wed, 26 Jan 2022 06:36:44 -0500 Received: (Authenticated sender: hadess@hadess.net) by mail.gandi.net (Postfix) with ESMTPSA id C54A31BF203 for ; Wed, 26 Jan 2022 11:36:39 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Subject: [PATCH 1/4] build: Always define confdir and statedir Date: Wed, 26 Jan 2022 12:36:35 +0100 Message-Id: <20220126113638.1706785-1-hadess@hadess.net> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-GND-Spam-Score: 300 X-GND-Status: SPAM Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org As we will need those paths to lock down on them. --- Makefile.am | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile.am b/Makefile.am index e391d7ae8..2ba25e687 100644 --- a/Makefile.am +++ b/Makefile.am @@ -28,14 +28,14 @@ AM_CFLAGS = $(MISC_CFLAGS) $(WARNING_CFLAGS) $(UDEV_CFLAGS) $(LIBEBOOK_CFLAGS) \ $(LIBEDATASERVER_CFLAGS) $(ell_cflags) AM_LDFLAGS = $(MISC_LDFLAGS) +confdir = $(sysconfdir)/bluetooth +statedir = $(localstatedir)/lib/bluetooth + if DATAFILES dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d dbus_DATA = src/bluetooth.conf -confdir = $(sysconfdir)/bluetooth conf_DATA = - -statedir = $(localstatedir)/lib/bluetooth state_DATA = endif From patchwork Wed Jan 26 11:36:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 12724966 X-Patchwork-Delegate: luiz.dentz@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 12293C5DF62 for ; Wed, 26 Jan 2022 11:36:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240808AbiAZLg4 (ORCPT ); Wed, 26 Jan 2022 06:36:56 -0500 Received: from relay8-d.mail.gandi.net ([217.70.183.201]:33919 "EHLO relay8-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240851AbiAZLgo (ORCPT ); Wed, 26 Jan 2022 06:36:44 -0500 Received: (Authenticated sender: hadess@hadess.net) by mail.gandi.net (Postfix) with ESMTPSA id 1E6AF1BF207; Wed, 26 Jan 2022 11:36:39 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Craig Andrews Subject: [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options Date: Wed, 26 Jan 2022 12:36:36 +0100 Message-Id: <20220126113638.1706785-2-hadess@hadess.net> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220126113638.1706785-1-hadess@hadess.net> References: <20220126113638.1706785-1-hadess@hadess.net> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Craig Andrews PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different namespace. This is useful to secure access to temporary files of the process. NoNewPrivileges ensures that service process and all its children can never gain new privileges through execve(), lowering the risk of possible privilege escalations. --- src/bluetooth.service.in | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in index f9faaa452..7c2f60bb4 100644 --- a/src/bluetooth.service.in +++ b/src/bluetooth.service.in @@ -12,8 +12,14 @@ NotifyAccess=main #Restart=on-failure CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE LimitNPROC=1 + +# Filesystem lockdown ProtectHome=true ProtectSystem=full +PrivateTmp=true + +# Privilege escalation +NoNewPrivileges=true [Install] WantedBy=bluetooth.target From patchwork Wed Jan 26 11:36:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 12724965 X-Patchwork-Delegate: luiz.dentz@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BE613C63684 for ; Wed, 26 Jan 2022 11:36:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233725AbiAZLg4 (ORCPT ); Wed, 26 Jan 2022 06:36:56 -0500 Received: from relay8-d.mail.gandi.net ([217.70.183.201]:52351 "EHLO relay8-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240850AbiAZLgo (ORCPT ); Wed, 26 Jan 2022 06:36:44 -0500 Received: (Authenticated sender: hadess@hadess.net) by mail.gandi.net (Postfix) with ESMTPSA id DCE591BF206 for ; Wed, 26 Jan 2022 11:36:40 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Subject: [PATCH 3/4] systemd: Add more filesystem lockdown Date: Wed, 26 Jan 2022 12:36:37 +0100 Message-Id: <20220126113638.1706785-3-hadess@hadess.net> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220126113638.1706785-1-hadess@hadess.net> References: <20220126113638.1706785-1-hadess@hadess.net> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org We can only access the configuration file as read-only and read-write to the Bluetooth cache directory and sub-directories. --- Makefile.am | 3 +++ src/bluetooth.service.in | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/Makefile.am b/Makefile.am index 2ba25e687..82125c482 100644 --- a/Makefile.am +++ b/Makefile.am @@ -622,6 +622,9 @@ MAINTAINERCLEANFILES = Makefile.in \ SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \ $(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \ + -e 's,@libexecdir\@,$(libexecdir),g' \ + -e 's,@statedir\@,$(statedir),g' \ + -e 's,@confdir\@,$(confdir),g' \ < $< > $@ if RUN_RST2MAN diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in index 7c2f60bb4..4daedef2a 100644 --- a/src/bluetooth.service.in +++ b/src/bluetooth.service.in @@ -17,6 +17,10 @@ LimitNPROC=1 ProtectHome=true ProtectSystem=full PrivateTmp=true +ProtectKernelTunables=true +ProtectControlGroups=true +ReadWritePaths=@statedir@ +ReadOnlyPaths=@confdir@ # Privilege escalation NoNewPrivileges=true From patchwork Wed Jan 26 11:36:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 12724963 X-Patchwork-Delegate: luiz.dentz@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 79BFCC2BA4C for ; Wed, 26 Jan 2022 11:36:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233852AbiAZLgz (ORCPT ); Wed, 26 Jan 2022 06:36:55 -0500 Received: from relay8-d.mail.gandi.net ([217.70.183.201]:49043 "EHLO relay8-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240852AbiAZLgo (ORCPT ); Wed, 26 Jan 2022 06:36:44 -0500 Received: (Authenticated sender: hadess@hadess.net) by mail.gandi.net (Postfix) with ESMTPSA id 33F411BF20B for ; Wed, 26 Jan 2022 11:36:41 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Subject: [PATCH 4/4] systemd: More lockdown Date: Wed, 26 Jan 2022 12:36:38 +0100 Message-Id: <20220126113638.1706785-4-hadess@hadess.net> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220126113638.1706785-1-hadess@hadess.net> References: <20220126113638.1706785-1-hadess@hadess.net> MIME-Version: 1.0 X-GND-Spam-Score: 300 X-GND-Status: SPAM Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org bluetoothd does not need to execute mapped memory, or real-time access, so block those. --- src/bluetooth.service.in | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in index 4daedef2a..f18801866 100644 --- a/src/bluetooth.service.in +++ b/src/bluetooth.service.in @@ -22,9 +22,15 @@ ProtectControlGroups=true ReadWritePaths=@statedir@ ReadOnlyPaths=@confdir@ +# Execute Mappings +MemoryDenyWriteExecute=true + # Privilege escalation NoNewPrivileges=true +# Real-time +RestrictRealtime=true + [Install] WantedBy=bluetooth.target Alias=dbus-org.bluez.service