systemd: Add more filesystem lockdown

We can only access the configuration file as read-only and read-write to the Bluetooth cache directory and sub-directories.
author: Bastien Nocera <hadess@hadess.net> 2022-01-26 12:36:37 +0100
committer: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-01-31 10:37:55 -0800
commit: 442d211b5f30f00d5ddd69b43385a03c1428ac45 (patch)
tree: 9f314ce67bc6dbcfe753c01632ea1b2de88dc7c8 /src/bluetooth.service.in
parent: 8d2db81eb7f508bbe4c89c3e9178a11ee086912e (diff)
download: bluez-442d211b5f30f00d5ddd69b43385a03c1428ac45.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index 7c2f60bb4..4daedef2a 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -17,6 +17,10 @@ LimitNPROC=1
 ProtectHome=true
 ProtectSystem=full
 PrivateTmp=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ReadWritePaths=@statedir@
+ReadOnlyPaths=@confdir@
 
 # Privilege escalation
 NoNewPrivileges=true
author	Bastien Nocera <hadess@hadess.net>	2022-01-26 12:36:37 +0100
committer	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2022-01-31 10:37:55 -0800
commit	442d211b5f30f00d5ddd69b43385a03c1428ac45 (patch)
tree	9f314ce67bc6dbcfe753c01632ea1b2de88dc7c8 /src/bluetooth.service.in
parent	8d2db81eb7f508bbe4c89c3e9178a11ee086912e (diff)
download	bluez-442d211b5f30f00d5ddd69b43385a03c1428ac45.tar.gz