colin/ModemManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

systemd: tighten the service security a bit

Browse Source 
What's left enabled:

* Access to /dev -- obviously
* CAP_SYS_ADMIN -- this is needed by TIOCSSERIAL only. Too bad this also
  allows TIOCSTI, which allows for code injection unless something else
  (SELinux) disallows access to ttys with shells.
  Maybe kernel should use CAP_SYS_TTY_CONFIG for this.
* socket(AF_NETLINK) -- udev & kernel device changes
* socket(AF_UNIX) -- D-Bus
This commit is contained in:
Lubomir Rintel
2016-10-17 18:25:08 +02:00
committed by Aleksander Morgado
parent da2b0064ee
commit ccea14ac47
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
data/ModemManager.service.in
View File

@@ -8,6 +8,12 @@ BusName=org.freedesktop.ModemManager1
ExecStart=@sbindir@/ModemManager
StandardError=null
Restart=on-abort
CapabilityBoundingSet=CAP_SYS_ADMIN
ProtectSystem=true
ProtectHome=true
PrivateTmp=true
RestrictAddressFamilies=AF_NETLINK AF_UNIX
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target