* [PATCH 1/4] build: Always define confdir and statedir
@ 2017-09-20 11:48 Bastien Nocera
2017-09-20 11:48 ` [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options Bastien Nocera
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Bastien Nocera @ 2017-09-20 11:48 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Bastien Nocera
As we will need those paths to lock down on them.
---
Makefile.am | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 555f301ca..1c38d94e5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -30,14 +30,14 @@ include_HEADERS =
AM_CFLAGS = $(WARNING_CFLAGS) $(MISC_CFLAGS)
AM_LDFLAGS = $(MISC_LDFLAGS)
+confdir = $(sysconfdir)/bluetooth
+statedir = $(localstatedir)/lib/bluetooth
+
if DATAFILES
dbusdir = @DBUS_CONFDIR@/dbus-1/system.d
dbus_DATA = src/bluetooth.conf
-confdir = $(sysconfdir)/bluetooth
conf_DATA =
-
-statedir = $(localstatedir)/lib/bluetooth
state_DATA =
endif
--
2.14.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
2017-09-20 11:48 [PATCH 1/4] build: Always define confdir and statedir Bastien Nocera
@ 2017-09-20 11:48 ` Bastien Nocera
2017-09-20 11:48 ` [PATCH 3/4] systemd: Add more filesystem lockdown Bastien Nocera
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Bastien Nocera @ 2017-09-20 11:48 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Craig Andrews
From: Craig Andrews <candrews@integralblue.com>
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
namespace. This is useful to secure access to temporary files of the
process.
NoNewPrivileges ensures that service process and all its children
can never gain new privileges through execve(), lowering the risk of
possible privilege escalations.
---
src/bluetooth.service.in | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index f799f65f0..a6f3030f9 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -12,8 +12,14 @@ NotifyAccess=main
#Restart=on-failure
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
LimitNPROC=1
+
+# Filesystem lockdown
ProtectHome=true
ProtectSystem=full
+PrivateTmp=true
+
+# Privilege escalation
+NoNewPrivileges=true
[Install]
WantedBy=bluetooth.target
--
2.14.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH 3/4] systemd: Add more filesystem lockdown
2017-09-20 11:48 [PATCH 1/4] build: Always define confdir and statedir Bastien Nocera
2017-09-20 11:48 ` [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options Bastien Nocera
@ 2017-09-20 11:48 ` Bastien Nocera
2017-09-20 11:48 ` [PATCH 4/4] systemd: More lockdown Bastien Nocera
2017-11-24 14:15 ` [PATCH 1/4] build: Always define confdir and statedir Bastien Nocera
3 siblings, 0 replies; 6+ messages in thread
From: Bastien Nocera @ 2017-09-20 11:48 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Bastien Nocera
We can only access the configuration file as read-only and read-write
to the Bluetooth cache directory and sub-directories.
---
Makefile.am | 2 ++
src/bluetooth.service.in | 4 ++++
2 files changed, 6 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index 1c38d94e5..13ccf9079 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -478,6 +478,8 @@ MAINTAINERCLEANFILES = Makefile.in \
SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
$(SED) -e 's,@libexecdir\@,$(libexecdir),g' \
+ -e 's,@statedir\@,$(statedir),g' \
+ -e 's,@confdir\@,$(confdir),g' \
< $< > $@
%.service: %.service.in Makefile
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index a6f3030f9..7e55b5043 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -17,6 +17,10 @@ LimitNPROC=1
ProtectHome=true
ProtectSystem=full
PrivateTmp=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ReadWritePaths=@statedir@
+ReadOnlyPaths=@confdir@
# Privilege escalation
NoNewPrivileges=true
--
2.14.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 4/4] systemd: More lockdown
2017-09-20 11:48 [PATCH 1/4] build: Always define confdir and statedir Bastien Nocera
2017-09-20 11:48 ` [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options Bastien Nocera
2017-09-20 11:48 ` [PATCH 3/4] systemd: Add more filesystem lockdown Bastien Nocera
@ 2017-09-20 11:48 ` Bastien Nocera
2017-11-24 14:15 ` [PATCH 1/4] build: Always define confdir and statedir Bastien Nocera
3 siblings, 0 replies; 6+ messages in thread
From: Bastien Nocera @ 2017-09-20 11:48 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Bastien Nocera
bluetoothd does not need to execute mapped memory, or real-time
access, so block those.
---
src/bluetooth.service.in | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index 7e55b5043..e8267b338 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -22,9 +22,15 @@ ProtectControlGroups=true
ReadWritePaths=@statedir@
ReadOnlyPaths=@confdir@
+# Execute Mappings
+MemoryDenyWriteExecute=true
+
# Privilege escalation
NoNewPrivileges=true
+# Real-time
+RestrictRealtime=true
+
[Install]
WantedBy=bluetooth.target
Alias=dbus-org.bluez.service
--
2.14.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/4] build: Always define confdir and statedir
2017-09-20 11:48 [PATCH 1/4] build: Always define confdir and statedir Bastien Nocera
` (2 preceding siblings ...)
2017-09-20 11:48 ` [PATCH 4/4] systemd: More lockdown Bastien Nocera
@ 2017-11-24 14:15 ` Bastien Nocera
3 siblings, 0 replies; 6+ messages in thread
From: Bastien Nocera @ 2017-11-24 14:15 UTC (permalink / raw)
To: linux-bluetooth
On Wed, 2017-09-20 at 13:48 +0200, Bastien Nocera wrote:
> As we will need those paths to lock down on them.
The 4 patches in this patchset are still relevant.
NoNewPrivileges broke SELinux on Fedora, but the problem has since been
fixed in the kernel SELinux support to handle it properly.
Cheers
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/4] build: Always define confdir and statedir
@ 2022-01-26 11:36 Bastien Nocera
2022-01-26 11:36 ` [PATCH 3/4] systemd: Add more filesystem lockdown Bastien Nocera
0 siblings, 1 reply; 6+ messages in thread
From: Bastien Nocera @ 2022-01-26 11:36 UTC (permalink / raw)
To: linux-bluetooth
As we will need those paths to lock down on them.
---
Makefile.am | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index e391d7ae8..2ba25e687 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -28,14 +28,14 @@ AM_CFLAGS = $(MISC_CFLAGS) $(WARNING_CFLAGS) $(UDEV_CFLAGS) $(LIBEBOOK_CFLAGS) \
$(LIBEDATASERVER_CFLAGS) $(ell_cflags)
AM_LDFLAGS = $(MISC_LDFLAGS)
+confdir = $(sysconfdir)/bluetooth
+statedir = $(localstatedir)/lib/bluetooth
+
if DATAFILES
dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
dbus_DATA = src/bluetooth.conf
-confdir = $(sysconfdir)/bluetooth
conf_DATA =
-
-statedir = $(localstatedir)/lib/bluetooth
state_DATA =
endif
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/4] systemd: Add more filesystem lockdown
2022-01-26 11:36 Bastien Nocera
@ 2022-01-26 11:36 ` Bastien Nocera
0 siblings, 0 replies; 6+ messages in thread
From: Bastien Nocera @ 2022-01-26 11:36 UTC (permalink / raw)
To: linux-bluetooth
We can only access the configuration file as read-only and read-write
to the Bluetooth cache directory and sub-directories.
---
Makefile.am | 3 +++
src/bluetooth.service.in | 4 ++++
2 files changed, 7 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index 2ba25e687..82125c482 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -622,6 +622,9 @@ MAINTAINERCLEANFILES = Makefile.in \
SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
+ -e 's,@libexecdir\@,$(libexecdir),g' \
+ -e 's,@statedir\@,$(statedir),g' \
+ -e 's,@confdir\@,$(confdir),g' \
< $< > $@
if RUN_RST2MAN
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index 7c2f60bb4..4daedef2a 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -17,6 +17,10 @@ LimitNPROC=1
ProtectHome=true
ProtectSystem=full
PrivateTmp=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ReadWritePaths=@statedir@
+ReadOnlyPaths=@confdir@
# Privilege escalation
NoNewPrivileges=true
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-01-26 11:36 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-09-20 11:48 [PATCH 1/4] build: Always define confdir and statedir Bastien Nocera
2017-09-20 11:48 ` [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options Bastien Nocera
2017-09-20 11:48 ` [PATCH 3/4] systemd: Add more filesystem lockdown Bastien Nocera
2017-09-20 11:48 ` [PATCH 4/4] systemd: More lockdown Bastien Nocera
2017-11-24 14:15 ` [PATCH 1/4] build: Always define confdir and statedir Bastien Nocera
-- strict thread matches above, loose matches on Subject: below --
2022-01-26 11:36 Bastien Nocera
2022-01-26 11:36 ` [PATCH 3/4] systemd: Add more filesystem lockdown Bastien Nocera
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox