On Wed, 2022-01-26 at 14:31 +0100, Marcel Holtmann wrote: > Hi Bastien, > > > Some patches from 2017 to use systemd lockdown. They've been used > > for 5 > > years by Fedora and RHEL. > > > > > As we will need those paths to lock down on them. > > > --- > > > Makefile.am | 6 +++--- > > > 1 file changed, 3 insertions(+), 3 deletions(-) > > > > > > diff --git a/Makefile.am b/Makefile.am > > > index e391d7ae8..2ba25e687 100644 > > > --- a/Makefile.am > > > +++ b/Makefile.am > > > @@ -28,14 +28,14 @@ AM_CFLAGS = $(MISC_CFLAGS) $(WARNING_CFLAGS) > > > $(UDEV_CFLAGS) $(LIBEBOOK_CFLAGS) \ > > > $(LIBEDATASERVER_CFLAGS) > > > $(ell_cflags) > > > AM_LDFLAGS = $(MISC_LDFLAGS) > > > > > > +confdir = $(sysconfdir)/bluetooth > > > +statedir = $(localstatedir)/lib/bluetooth > > > + > > > if DATAFILES > > > dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d > > > dbus_DATA = src/bluetooth.conf > > > > > > -confdir = $(sysconfdir)/bluetooth > > > conf_DATA = > > > - > > > -statedir = $(localstatedir)/lib/bluetooth > > > state_DATA = > > > endif > > > > > seems I missed that one. Can you please be more specific what this > change does. This change specifically? Check the next patches in the series, and you'll see pretty quickly. For the rest of the patchset, check this man page for details on each of the directives: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Security There's a fair amount of other directives we could use on top of those ones, but we can add them iteratively (and it makes bisecting easier, in case we forget about a particular use case). Cheers
