As we will need those paths to lock down on them.
---
Makefile.am | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 555f301ca..1c38d94e5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -30,14 +30,14 @@ include_HEADERS =
AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS)
AM_LDFLAGS = $(MISC_LDFLAGS)
+confdir = $(sysconfdir)/bluetooth
+statedir = $(localstatedir)/lib/bluetooth
+
if DATAFILES
dbusdir = @DBUS_CONFDIR@/dbus-1/system.d
dbus_DATA = src/bluetooth.conf
-confdir = $(sysconfdir)/bluetooth
conf_DATA =
-
-statedir = $(localstatedir)/lib/bluetooth
state_DATA =
endif
--
2.14.1
bluetoothd does not need to execute mapped memory, or real-time
access, so block those.
---
src/bluetooth.service.in | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index 7e55b5043..e8267b338 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -22,9 +22,15 @@ ProtectControlGroups=true
ReadWritePaths=@statedir@
ReadOnlyPaths=@confdir@
+# Execute Mappings
+MemoryDenyWriteExecute=true
+
# Privilege escalation
NoNewPrivileges=true
+# Real-time
+RestrictRealtime=true
+
[Install]
WantedBy=bluetooth.target
Alias=dbus-org.bluez.service
--
2.14.1
From: Craig Andrews <[email protected]>
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
namespace. This is useful to secure access to temporary files of the
process.
NoNewPrivileges ensures that service process and all its children
can never gain new privileges through execve(), lowering the risk of
possible privilege escalations.
---
src/bluetooth.service.in | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index f799f65f0..a6f3030f9 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -12,8 +12,14 @@ NotifyAccess=main
#Restart=on-failure
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
LimitNPROC=1
+
+# Filesystem lockdown
ProtectHome=true
ProtectSystem=full
+PrivateTmp=true
+
+# Privilege escalation
+NoNewPrivileges=true
[Install]
WantedBy=bluetooth.target
--
2.14.1
We can only access the configuration file as read-only and read-write
to the Bluetooth cache directory and sub-directories.
---
Makefile.am | 2 ++
src/bluetooth.service.in | 4 ++++
2 files changed, 6 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index 1c38d94e5..13ccf9079 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -478,6 +478,8 @@ MAINTAINERCLEANFILES = Makefile.in \
SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
$(SED) -e 's,@libexecdir\@,$(libexecdir),g' \
+ -e 's,@statedir\@,$(statedir),g' \
+ -e 's,@confdir\@,$(confdir),g' \
< $< > $@
%.service: %.service.in Makefile
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index a6f3030f9..7e55b5043 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -17,6 +17,10 @@ LimitNPROC=1
ProtectHome=true
ProtectSystem=full
PrivateTmp=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ReadWritePaths=@statedir@
+ReadOnlyPaths=@confdir@
# Privilege escalation
NoNewPrivileges=true
--
2.14.1
On Wed, 2017-09-20 at 13:48 +0200, Bastien Nocera wrote:
> As we will need those paths to lock down on them.
The 4 patches in this patchset are still relevant.
NoNewPrivileges broke SELinux on Fedora, but the problem has since been
fixed in the kernel SELinux support to handle it properly.
Cheers
Some patches from 2017 to use systemd lockdown. They've been used for 5
years by Fedora and RHEL.
Cheers
On Wed, 2022-01-26 at 12:36 +0100, Bastien Nocera wrote:
> As we will need those paths to lock down on them.
> ---
> Makefile.am | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/Makefile.am b/Makefile.am
> index e391d7ae8..2ba25e687 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -28,14 +28,14 @@ AM_CFLAGS = $(MISC_CFLAGS) $(WARNING_CFLAGS)
> $(UDEV_CFLAGS) $(LIBEBOOK_CFLAGS) \
> $(LIBEDATASERVER_CFLAGS)
> $(ell_cflags)
> AM_LDFLAGS = $(MISC_LDFLAGS)
>
> +confdir = $(sysconfdir)/bluetooth
> +statedir = $(localstatedir)/lib/bluetooth
> +
> if DATAFILES
> dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
> dbus_DATA = src/bluetooth.conf
>
> -confdir = $(sysconfdir)/bluetooth
> conf_DATA =
> -
> -statedir = $(localstatedir)/lib/bluetooth
> state_DATA =
> endif
>
Hi Bastien,
> Some patches from 2017 to use systemd lockdown. They've been used for 5
> years by Fedora and RHEL.
>
>> As we will need those paths to lock down on them.
>> ---
>> Makefile.am | 6 +++---
>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/Makefile.am b/Makefile.am
>> index e391d7ae8..2ba25e687 100644
>> --- a/Makefile.am
>> +++ b/Makefile.am
>> @@ -28,14 +28,14 @@ AM_CFLAGS = $(MISC_CFLAGS) $(WARNING_CFLAGS)
>> $(UDEV_CFLAGS) $(LIBEBOOK_CFLAGS) \
>> $(LIBEDATASERVER_CFLAGS)
>> $(ell_cflags)
>> AM_LDFLAGS = $(MISC_LDFLAGS)
>>
>> +confdir = $(sysconfdir)/bluetooth
>> +statedir = $(localstatedir)/lib/bluetooth
>> +
>> if DATAFILES
>> dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
>> dbus_DATA = src/bluetooth.conf
>>
>> -confdir = $(sysconfdir)/bluetooth
>> conf_DATA =
>> -
>> -statedir = $(localstatedir)/lib/bluetooth
>> state_DATA =
>> endif
>>
seems I missed that one. Can you please be more specific what this change does.
Regards
Marcel
On Wed, 2022-01-26 at 14:31 +0100, Marcel Holtmann wrote:
> Hi Bastien,
>
> > Some patches from 2017 to use systemd lockdown. They've been used
> > for 5
> > years by Fedora and RHEL.
> >
> > > As we will need those paths to lock down on them.
> > > ---
> > > Makefile.am | 6 +++---
> > > 1 file changed, 3 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/Makefile.am b/Makefile.am
> > > index e391d7ae8..2ba25e687 100644
> > > --- a/Makefile.am
> > > +++ b/Makefile.am
> > > @@ -28,14 +28,14 @@ AM_CFLAGS = $(MISC_CFLAGS) $(WARNING_CFLAGS)
> > > $(UDEV_CFLAGS) $(LIBEBOOK_CFLAGS) \
> > > $(LIBEDATASERVER_CFLAGS)
> > > $(ell_cflags)
> > > AM_LDFLAGS = $(MISC_LDFLAGS)
> > >
> > > +confdir = $(sysconfdir)/bluetooth
> > > +statedir = $(localstatedir)/lib/bluetooth
> > > +
> > > if DATAFILES
> > > dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
> > > dbus_DATA = src/bluetooth.conf
> > >
> > > -confdir = $(sysconfdir)/bluetooth
> > > conf_DATA =
> > > -
> > > -statedir = $(localstatedir)/lib/bluetooth
> > > state_DATA =
> > > endif
> > >
>
> seems I missed that one. Can you please be more specific what this
> change does.
This change specifically? Check the next patches in the series, and
you'll see pretty quickly.
For the rest of the patchset, check this man page for details on each
of the directives:
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Security
There's a fair amount of other directives we could use on top of those
ones, but we can add them iteratively (and it makes bisecting easier,
in case we forget about a particular use case).
Cheers
On Wed, 2022-01-26 at 14:45 +0100, Bastien Nocera wrote:
> This change specifically? Check the next patches in the series, and
> you'll see pretty quickly.
>
> For the rest of the patchset, check this man page for details on each
> of the directives:
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Security
>
> There's a fair amount of other directives we could use on top of
> those
> ones, but we can add them iteratively (and it makes bisecting easier,
> in case we forget about a particular use case).
Did you have any more questions about this patchset?
Hi Bastien,
On Wed, Feb 2, 2022 at 5:55 AM Bastien Nocera <[email protected]> wrote:
>
> On Wed, 2022-01-26 at 14:45 +0100, Bastien Nocera wrote:
> > This change specifically? Check the next patches in the series, and
> > you'll see pretty quickly.
> >
> > For the rest of the patchset, check this man page for details on each
> > of the directives:
> > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Security
> >
> > There's a fair amount of other directives we could use on top of
> > those
> > ones, but we can add them iteratively (and it makes bisecting easier,
> > in case we forget about a particular use case).
>
> Did you have any more questions about this patchset?
Looks like we have some problems with these changes:
https://github.com/bluez/bluez/issues/329
--
Luiz Augusto von Dentz