systemd: More lockdown

bluetoothd does not need to execute mapped memory, or real-time access, so block those.
author: Bastien Nocera <hadess@hadess.net> 2022-01-26 12:36:38 +0100
committer: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-01-31 10:37:55 -0800
commit: 340a7b97852eedaa18c8b580ba9420ee83cf382d (patch)
tree: 3c11254ebb5a95e370ea247263436392cd6b3cd0 /src/bluetooth.service.in
parent: 442d211b5f30f00d5ddd69b43385a03c1428ac45 (diff)
download: bluez-340a7b97852eedaa18c8b580ba9420ee83cf382d.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index 4daedef2a..f18801866 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -22,9 +22,15 @@ ProtectControlGroups=true
 ReadWritePaths=@statedir@
 ReadOnlyPaths=@confdir@
 
+# Execute Mappings
+MemoryDenyWriteExecute=true
+
 # Privilege escalation
 NoNewPrivileges=true
 
+# Real-time
+RestrictRealtime=true
+
 [Install]
 WantedBy=bluetooth.target
 Alias=dbus-org.bluez.service
author	Bastien Nocera <hadess@hadess.net>	2022-01-26 12:36:38 +0100
committer	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2022-01-31 10:37:55 -0800
commit	340a7b97852eedaa18c8b580ba9420ee83cf382d (patch)
tree	3c11254ebb5a95e370ea247263436392cd6b3cd0 /src/bluetooth.service.in
parent	442d211b5f30f00d5ddd69b43385a03c1428ac45 (diff)
download	bluez-340a7b97852eedaa18c8b580ba9420ee83cf382d.tar.gz