systemd: Add PrivateTmp and NoNewPrivileges options

PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different namespace. This is useful to secure access to temporary files of the process. NoNewPrivileges ensures that service process and all its children can never gain new privileges through execve(), lowering the risk of possible privilege escalations.
author: Craig Andrews <candrews@integralblue.com> 2022-01-26 12:36:36 +0100
committer: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-01-31 10:37:54 -0800
commit: 8d2db81eb7f508bbe4c89c3e9178a11ee086912e (patch)
tree: e83c84804bea9da4e1277b7e88d67bf866d6e9cd /src/bluetooth.service.in
parent: caeabc41274fce997edf9314de1d7f1e9ae04055 (diff)
download: bluez-8d2db81eb7f508bbe4c89c3e9178a11ee086912e.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index f9faaa452..7c2f60bb4 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -12,8 +12,14 @@ NotifyAccess=main
 #Restart=on-failure
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 LimitNPROC=1
+
+# Filesystem lockdown
 ProtectHome=true
 ProtectSystem=full
+PrivateTmp=true
+
+# Privilege escalation
+NoNewPrivileges=true
 
 [Install]
 WantedBy=bluetooth.target
author	Craig Andrews <candrews@integralblue.com>	2022-01-26 12:36:36 +0100
committer	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2022-01-31 10:37:54 -0800
commit	8d2db81eb7f508bbe4c89c3e9178a11ee086912e (patch)
tree	e83c84804bea9da4e1277b7e88d67bf866d6e9cd /src/bluetooth.service.in
parent	caeabc41274fce997edf9314de1d7f1e9ae04055 (diff)
download	bluez-8d2db81eb7f508bbe4c89c3e9178a11ee086912e.tar.gz