| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
This sets ConfigurationDirectoryMode to 0555 to really enforce the
ConfigurationDirectory to be read-only [1].
[1] https://github.com/bluez/bluez/issues/329#issuecomment-1102459104
|
|
|
|
|
|
|
|
| |
This sets StateDirectoryMode to 0700 as it is the current mode used for
creating files inside the storage and it is different than the default
systemd uses which is 0755:
[1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RuntimeDirectoryMode=
|
|
|
|
|
|
|
|
|
|
| |
This makes use of StateDirectory[1] and ConfigurationDirectory[1] to
inform systemd what those paths are used for instead of using
ReadWritePaths and ReadOnlyPaths which can lead to issues.
Fixes: https://github.com/bluez/bluez/issues/329
[1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
|
|
|
|
| |
bluetoothd does not need to execute mapped memory, or real-time
access, so block those.
|
|
|
|
|
| |
We can only access the configuration file as read-only and read-write
to the Bluetooth cache directory and sub-directories.
|
|
|
|
|
|
|
|
|
|
| |
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
namespace. This is useful to secure access to temporary files of the
process.
NoNewPrivileges ensures that service process and all its children
can never gain new privileges through execve(), lowering the risk of
possible privilege escalations.
|
|
|
|
|
|
|
| |
When files are to be placed not in libexecdir but a subdirectory of
it, automake has a variable name reserved for exactly that purpose
(and a default value, which Makefile.am will override), called
pkglibexecdir. Let's use it.
|
|
|
|
|
| |
These options protect from unintended access to the filesystem see
SYSTEMD.EXEC(5) for mode detail.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running a kernel without bluetooth support, bluetooth.service fails to
start with
bluetoothd[1640]: Failed to access management interface
bluetoothd[1640]: Adapter handling initialization failed
systemd[1]: bluetooth.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: Failed to start Bluetooth service.
This causes an unnecessary "degraded" state and more importantly breaks package
installation when the bluez package auto-starts the daemon.
Add a condition to only start the service if /sys/class/bluetooth exists.
https://launchpad.net/bugs/1506774
|
|
|
|
|
| |
This is a left-over from times that raw HCI sockets were used. It's not
needed anymore.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
By default, both stdout and syslog messages go to the systemd journal,
which results in duplicate messages being logged.
|
|
|
|
| |
This allows bluez to be bus-activated.
|
|
|
|
|
| |
This was only needed in old versions of systemd. All messages are logged
by default to the journal now, no ordering required.
|
|
|