On 30.06.2016 08:51, Luiz Augusto von Dentz wrote:
Hi Craig,
On Thu, Jun 30, 2016 at 12:07 AM, Craig Andrews
<candrews@xxxxxxxxxxxxxxxx> wrote:
I've been on a bit of a mission lately to improve the hardening of
systemd
services wherever I can find them. Today, I ran across this one.
I believe the hardening of the bluetooth.service (
https://git.kernel.org/cgit/bluetooth/bluez.git/tree/src/bluetooth.service.in
) can be easily improved by adding these 2 lines:
PrivateTmp=true
NoNewPrivileges=true
If there is agreement, can a committer please make this change?
I don't see any problems in doing it, how long have them been
introduced?
Going by https://github.com/systemd/systemd/blob/master/NEWS :
PrivateTmp has been around since at least systemd 183
NoNewPrivileges has been around since at least systemd 227
However, I don't think that matters very much. Quoting
https://www.freedesktop.org/software/systemd/man/systemd.unit.html :
---
Unit files may contain additional options on top of those listed here.
If systemd encounters an unknown option, it will write a warning log
message but continue loading the unit.
---
So if a user is using a version of systemd that doesn't yet have
NoNewPrivileges, for example, there's no negative consequence.
Thanks,
~Craig
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
