diff options
author | Bastien Nocera <hadess@hadess.net> | 2022-01-26 12:36:37 +0100 |
---|---|---|
committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2022-01-31 10:37:55 -0800 |
commit | 442d211b5f30f00d5ddd69b43385a03c1428ac45 (patch) | |
tree | 9f314ce67bc6dbcfe753c01632ea1b2de88dc7c8 /src/bluetooth.service.in | |
parent | 8d2db81eb7f508bbe4c89c3e9178a11ee086912e (diff) | |
download | bluez-442d211b5f30f00d5ddd69b43385a03c1428ac45.tar.gz |
systemd: Add more filesystem lockdown
We can only access the configuration file as read-only and read-write
to the Bluetooth cache directory and sub-directories.
Diffstat (limited to 'src/bluetooth.service.in')
-rw-r--r-- | src/bluetooth.service.in | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in index 7c2f60bb4..4daedef2a 100644 --- a/src/bluetooth.service.in +++ b/src/bluetooth.service.in @@ -17,6 +17,10 @@ LimitNPROC=1 ProtectHome=true ProtectSystem=full PrivateTmp=true +ProtectKernelTunables=true +ProtectControlGroups=true +ReadWritePaths=@statedir@ +ReadOnlyPaths=@confdir@ # Privilege escalation NoNewPrivileges=true |