Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp5486121pxb; Wed, 26 Jan 2022 13:10:22 -0800 (PST) X-Google-Smtp-Source: ABdhPJzFgZqVyi6Re5UrFNGL2THAiPvheG360HMs7wrM+ZpFOD+KeO1izyxwrXwLA5k5fCmO1R/g X-Received: by 2002:a17:90a:b114:: with SMTP id z20mr800939pjq.94.1643231422212; Wed, 26 Jan 2022 13:10:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643231422; cv=none; d=google.com; s=arc-20160816; b=DzaJJKKfibJRoWLZgctYO+vtFw5mch6qOs/RevvZCZ4Ms8njmi7ZQR1+rv/3th0jl+ J7JXYQWpi6yqFgwhsSiepo/1dibW2z1Jw1kEc/wLkAgS7rKvFNi2Ll0ULsCyr5FXNI0m SSIPoj28NkHLXUQtxSd7/FlF6y2yB+d1+MCx5PJILbN9FkeZiUYirq48qbWbV/px6qPV 1Z0PZo/yEuTZ4mt/mYefhitaLfDpQZkB775MGNV2+7HC5H+M/oZi+CcpJzV15Ougp6Yw z+Ky40BvAXN7G4tToi9TFKtMK0Ba0EA2//DX0UY/78cWHJQj+/c3c4dhv5AbMcjjkwMd QsHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:to:from; bh=Gwpwl83Zp7lWSk9FWJzBEl6jd7JGH3EeZvoUWFZzNzs=; b=eO84yvnxeIKPi0Ndpo0wb2LBHspX8f4GBr6mzeYFov0lwKmuwbjHEYoVDLj7P1jimS xLmUnfvx6W/5UQEhqO/8BnUKuAFZd625my4kSbs7DWpiYsNoVqC+EoQnLxpU2o+tjdmw 6G+VWe3DlUe9qZPLYsY9qMK9p0tCbuUj8v+umyRrgUBlMdMMwi2UgNvvckFN4fePWd8H u61rZDW+n5j9SXqbzyw3qJNH6xoEfWHGC+WHjbpFoCG9sy/8fJGKcNtsgnFNE0pawa2b FpbeZBE8LitKqzWgEVnEJJz+y0jsgErtnkQ+TtgBWsJPE/ssbvE+N2lILjjcPH6jicPT 9g6A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u16si232163plg.368.2022.01.26.13.09.53; Wed, 26 Jan 2022 13:10:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240790AbiAZLgz (ORCPT + 99 others); Wed, 26 Jan 2022 06:36:55 -0500 Received: from relay8-d.mail.gandi.net ([217.70.183.201]:49043 "EHLO relay8-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240852AbiAZLgo (ORCPT ); Wed, 26 Jan 2022 06:36:44 -0500 Received: (Authenticated sender: hadess@hadess.net) by mail.gandi.net (Postfix) with ESMTPSA id 33F411BF20B for ; Wed, 26 Jan 2022 11:36:41 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Subject: [PATCH 4/4] systemd: More lockdown Date: Wed, 26 Jan 2022 12:36:38 +0100 Message-Id: <20220126113638.1706785-4-hadess@hadess.net> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220126113638.1706785-1-hadess@hadess.net> References: <20220126113638.1706785-1-hadess@hadess.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Flag: yes X-Spam-Level: ******************** X-GND-Spam-Score: 300 X-GND-Status: SPAM Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org bluetoothd does not need to execute mapped memory, or real-time access, so block those. --- src/bluetooth.service.in | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in index 4daedef2a..f18801866 100644 --- a/src/bluetooth.service.in +++ b/src/bluetooth.service.in @@ -22,9 +22,15 @@ ProtectControlGroups=true ReadWritePaths=@statedir@ ReadOnlyPaths=@confdir@ +# Execute Mappings +MemoryDenyWriteExecute=true + # Privilege escalation NoNewPrivileges=true +# Real-time +RestrictRealtime=true + [Install] WantedBy=bluetooth.target Alias=dbus-org.bluez.service -- 2.34.1