Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp5495927pxb; Wed, 26 Jan 2022 13:24:28 -0800 (PST) X-Google-Smtp-Source: ABdhPJz03aEcM2pelGPceFKutMt1xQItXd31sKlN/t2Nk3z5KNe973cMFnUKZZZjFDxphgeFjv3p X-Received: by 2002:a17:903:2342:: with SMTP id c2mr319732plh.79.1643232268484; Wed, 26 Jan 2022 13:24:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643232268; cv=none; d=google.com; s=arc-20160816; b=w3r5gTJQ0VwEZaYwULHJd4tSLR+eYCz2EF2M6ac1jySfc1LJD6SUB68GQ2Y9YJHGQJ Y1LEJhbIJ2/ab8J4fzilkbwjlBfvq9Mci1fsZHRkt2rBmzLr0yGGsGacflrrwjjyCqAk GnPha6tBqdDAEVArqWv/thsFWn2grK6GOlY1Pd5ozw9+xTj0Coc+joWR8nCJ5qU5lk2Y GXHqQQseQocUTwBfJDuJaP0oatlxs3M14vTQOTnRpmxhVNYq96KvuaGyUQuTwJDeIZRg 9EnKWfabMhTQ++k0NI2EtKF3JGW25w5d+Ej7OtA8g7PmkMrat7Ne99fv2kIYJllt2VYu Ahog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=qTvzmFpHw0e9BlyfXY2iHxkfozKLmwkfHYc3DmhylsI=; b=YseilXuQumhwyXvv1QyVIiXQzJGCJmIU69UD91ajIQIxL06sdfBu8eyOjwRj6cMopV xLWM3uVhTKcYytzwO0D2QvUmmNIAZuB+eMGw4LQNQEUBM3zdSvL1kYV5qmwvEObT/cfB /R75w3fiBM4+5eoG7sDG2SlkPJHc4RJizz47WczWXX8rPc+M7ONo47/QaXSEgazD2T7i B+q4BxtrZxUrnJmmIqlAqys1jwfjU/micm+RCFf3UkNuT1VjqvASPcv5iDCUAo3cyfQA RkLQhD7b1m+9XHqxXtnqgkWrSgx60j7As5vkdTskgLeZYJlzeJgwj+vCZC/1eKZNI70l XkAg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i9si263166pgs.248.2022.01.26.13.24.14; Wed, 26 Jan 2022 13:24:28 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235305AbiAZNps (ORCPT + 99 others); Wed, 26 Jan 2022 08:45:48 -0500 Received: from relay2-d.mail.gandi.net ([217.70.183.194]:51489 "EHLO relay2-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234226AbiAZNps (ORCPT ); Wed, 26 Jan 2022 08:45:48 -0500 Received: (Authenticated sender: hadess@hadess.net) by mail.gandi.net (Postfix) with ESMTPSA id 3481240010; Wed, 26 Jan 2022 13:45:45 +0000 (UTC) Message-ID: <61d3fea272805d6bfb1a6cf5883404ea7e294e7c.camel@hadess.net> Subject: Re: [PATCH 1/4] build: Always define confdir and statedir From: Bastien Nocera To: Marcel Holtmann Cc: linux-bluetooth@vger.kernel.org Date: Wed, 26 Jan 2022 14:45:45 +0100 In-Reply-To: <390473B8-2187-4C84-B319-9D4A8FB6ED0A@holtmann.org> References: <20220126113638.1706785-1-hadess@hadess.net> <78f77f0268ce1b4818c0a0749d3371b825fa1c92.camel@hadess.net> <390473B8-2187-4C84-B319-9D4A8FB6ED0A@holtmann.org> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.3 (3.42.3-1.fc35) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org On Wed, 2022-01-26 at 14:31 +0100, Marcel Holtmann wrote: > Hi Bastien, > > > Some patches from 2017 to use systemd lockdown. They've been used > > for 5 > > years by Fedora and RHEL. > > > > > As we will need those paths to lock down on them. > > > --- > > >  Makefile.am | 6 +++--- > > >  1 file changed, 3 insertions(+), 3 deletions(-) > > > > > > diff --git a/Makefile.am b/Makefile.am > > > index e391d7ae8..2ba25e687 100644 > > > --- a/Makefile.am > > > +++ b/Makefile.am > > > @@ -28,14 +28,14 @@ AM_CFLAGS = $(MISC_CFLAGS) $(WARNING_CFLAGS) > > > $(UDEV_CFLAGS) $(LIBEBOOK_CFLAGS) \ > > >                                 $(LIBEDATASERVER_CFLAGS) > > > $(ell_cflags) > > >  AM_LDFLAGS = $(MISC_LDFLAGS) > > >   > > > +confdir = $(sysconfdir)/bluetooth > > > +statedir = $(localstatedir)/lib/bluetooth > > > + > > >  if DATAFILES > > >  dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d > > >  dbus_DATA = src/bluetooth.conf > > >   > > > -confdir = $(sysconfdir)/bluetooth > > >  conf_DATA = > > > - > > > -statedir = $(localstatedir)/lib/bluetooth > > >  state_DATA = > > >  endif > > >   > > seems I missed that one. Can you please be more specific what this > change does. This change specifically? Check the next patches in the series, and you'll see pretty quickly. For the rest of the patchset, check this man page for details on each of the directives: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Security There's a fair amount of other directives we could use on top of those ones, but we can add them iteratively (and it makes bisecting easier, in case we forget about a particular use case). Cheers