diff mbox series

[4/4] systemd: More lockdown

Message ID 20220126113638.1706785-4-hadess@hadess.net
State New
Headers show
Series [1/4] build: Always define confdir and statedir | expand

Commit Message

Bastien Nocera Jan. 26, 2022, 11:36 a.m. UTC 
bluetoothd does not need to execute mapped memory, or real-time
access, so block those.
---
 src/bluetooth.service.in | 6 ++++++
 1 file changed, 6 insertions(+)
diff mbox series

Patch

diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index 4daedef2a..f18801866 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -22,9 +22,15 @@  ProtectControlGroups=true
 ReadWritePaths=@statedir@
 ReadOnlyPaths=@confdir@
 
+# Execute Mappings
+MemoryDenyWriteExecute=true
+
 # Privilege escalation
 NoNewPrivileges=true
 
+# Real-time
+RestrictRealtime=true
+
 [Install]
 WantedBy=bluetooth.target
 Alias=dbus-org.bluez.service