Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp5486126pxb;
        Wed, 26 Jan 2022 13:10:23 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzIPUJBq2BdrnXQ1kLwG3ySKLaKY8aT94wS5R4VdDjEgE+Nf1N/URa/eBShY78V2YmjtSq5
X-Received: by 2002:a17:907:1c92:: with SMTP id nb18mr411578ejc.309.1643231422754;
        Wed, 26 Jan 2022 13:10:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1643231422; cv=none;
        d=google.com; s=arc-20160816;
        b=iWg8OTmRETHGlLcDgPYvV8ksp/V9WEpFunIVHlz6lcRezVPiWLx9mGQYH6/TxWaMtf
         YeU+TOpAbQcuCe7PtKUQdA84IIK/6KxI9mqJB/Dkm2YY13vGYmzCjapjNtYckWncwChw
         8xXqUvWyBunZUbkMPNvMqcCPumF0m5wEChJYVkq2WBblcSf1zEjglVFlFU2jKq/NW/bx
         odElsqd2fzvlhYKjLHmyST3CW3uUmHGmt2xrY2L6BVSAzR5zVr7kG8SNJV72Jg47obEx
         Eo4WWgqVPXFIczTZGREvTvBkRouMlIe5SyLg/NxLyK90+YGp95iGwceJHksHvpwzQ+NR
         K+pA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:to:from;
        bh=zwyVtWT2Eyuv3yb3vN+Hh6JRDyR2ImGrpydDk1oyQYY=;
        b=WN69Qa2qjBhbEoueA765U8gLCP1POmcZ9Sp54NEW9i8xMHkHYD3ZGHX2SlQ5xYkR9X
         h5ATWUEVUVww87z9U+qFoZe/rQkniawoP5cMEyXFdzaUT/g8/P916413/PeKZhbrIw53
         j+AOuRM0PFkiDsmW4pYgfDjhNXr88vAh9pv++WmfwfhCxFYUq0WaMASVZ2GccDHWxWwT
         tmHlm3DZxt7+piOy1k53mavmz7eqDcL2MzVu22onqOVDip/8UDRC2WFV5M2OlhkgQrRN
         GX6Hdxk7Wu3xAGrjkoNOoIYTuT1z5dZyuPxiq6y10oJCGLL2qT25+ap1tY6h4E1fPku9
         kT+A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id dd9si165239ejc.490.2022.01.26.13.09.53;
        Wed, 26 Jan 2022 13:10:22 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240807AbiAZLg4 (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 99 others); Wed, 26 Jan 2022 06:36:56 -0500
Received: from relay8-d.mail.gandi.net ([217.70.183.201]:52351 "EHLO
        relay8-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S240850AbiAZLgo (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Wed, 26 Jan 2022 06:36:44 -0500
Received: (Authenticated sender: hadess@hadess.net)
        by mail.gandi.net (Postfix) with ESMTPSA id DCE591BF206
        for <linux-bluetooth@vger.kernel.org>; Wed, 26 Jan 2022 11:36:40 +0000 (UTC)
From:   Bastien Nocera <hadess@hadess.net>
To:     linux-bluetooth@vger.kernel.org
Subject: [PATCH 3/4] systemd: Add more filesystem lockdown
Date:   Wed, 26 Jan 2022 12:36:37 +0100
Message-Id: <20220126113638.1706785-3-hadess@hadess.net>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20220126113638.1706785-1-hadess@hadess.net>
References: <20220126113638.1706785-1-hadess@hadess.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

We can only access the configuration file as read-only and read-write
to the Bluetooth cache directory and sub-directories.
---
 Makefile.am              | 3 +++
 src/bluetooth.service.in | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/Makefile.am b/Makefile.am
index 2ba25e687..82125c482 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -622,6 +622,9 @@ MAINTAINERCLEANFILES = Makefile.in \
 
 SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
 		$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
+		       -e 's,@libexecdir\@,$(libexecdir),g' \
+		       -e 's,@statedir\@,$(statedir),g' \
+		       -e 's,@confdir\@,$(confdir),g' \
 		< $< > $@
 
 if RUN_RST2MAN
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index 7c2f60bb4..4daedef2a 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -17,6 +17,10 @@ LimitNPROC=1
 ProtectHome=true
 ProtectSystem=full
 PrivateTmp=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ReadWritePaths=@statedir@
+ReadOnlyPaths=@confdir@
 
 # Privilege escalation
 NoNewPrivileges=true
-- 
2.34.1