diff options
author | Lubomir Rintel <lkundrak@v3.sk> | 2016-10-17 18:25:08 +0200 |
---|---|---|
committer | Aleksander Morgado <aleksander@aleksander.es> | 2016-10-24 13:15:15 +0200 |
commit | ccea14ac476737535124b6e9e553fcdc57b67529 (patch) | |
tree | 918cac1d1b1e358aa3d1edf7a12aef30fe2d0e03 | |
parent | da2b0064eec3ff7710ef2efd79df53b426d6ef7a (diff) | |
download | ModemManager-ccea14ac476737535124b6e9e553fcdc57b67529.tar.gz |
systemd: tighten the service security a bit
What's left enabled:
* Access to /dev -- obviously
* CAP_SYS_ADMIN -- this is needed by TIOCSSERIAL only. Too bad this also
allows TIOCSTI, which allows for code injection unless something else
(SELinux) disallows access to ttys with shells.
Maybe kernel should use CAP_SYS_TTY_CONFIG for this.
* socket(AF_NETLINK) -- udev & kernel device changes
* socket(AF_UNIX) -- D-Bus
-rw-r--r-- | data/ModemManager.service.in | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/data/ModemManager.service.in b/data/ModemManager.service.in index 9fe3a3bce..aac4ab05f 100644 --- a/data/ModemManager.service.in +++ b/data/ModemManager.service.in @@ -8,6 +8,12 @@ BusName=org.freedesktop.ModemManager1 ExecStart=@sbindir@/ModemManager StandardError=null Restart=on-abort +CapabilityBoundingSet=CAP_SYS_ADMIN +ProtectSystem=true +ProtectHome=true +PrivateTmp=true +RestrictAddressFamilies=AF_NETLINK AF_UNIX +NoNewPrivileges=true [Install] WantedBy=multi-user.target |