What's left enabled:
* Access to /dev -- obviously
* CAP_SYS_ADMIN -- this is needed by TIOCSSERIAL only. Too bad this also
allows TIOCSTI, which allows for code injection unless something else
(SELinux) disallows access to ttys with shells.
Maybe kernel should use CAP_SYS_TTY_CONFIG for this.
* socket(AF_NETLINK) -- udev & kernel device changes
* socket(AF_UNIX) -- D-Bus
This reverts commit 91898aa8b0.
See additional comments in the following bug:
https://bugzilla.gnome.org/show_bug.cgi?id=701229
Basically, 'mask' and 'unmask' operations are not the ones we should be using
or suggesting; and the Alias= for the DBus file is the correct way to go.
Avoid setting up the Alias rule, which was a helper to let us 'disable' the
systemd service including dbus-activations. Without the Alias, 'disable' will
still let starting ModemManager through dbus-activation. If you really want to
fully disallow starting MM also through dbus-activation, you should 'mask' and
'unmask' the service.
E.g.:
$ sudo systemctl mask ModemManager
ln -s '/dev/null' '/etc/systemd/system/ModemManager.service'
$ sudo mmcli -L
error: couldn't find the ModemManager process in the bus
$ sudo systemctl unmask ModemManager
rm '/etc/systemd/system/ModemManager.service'
$ sudo mmcli -L
No modems were found
https://bugzilla.gnome.org/show_bug.cgi?id=701229
