* [PATCH 1/4] build: Always define confdir and statedir
@ 2022-01-26 11:36 Bastien Nocera
2022-01-26 11:36 ` [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options Bastien Nocera
` (4 more replies)
0 siblings, 5 replies; 12+ messages in thread
From: Bastien Nocera @ 2022-01-26 11:36 UTC (permalink / raw)
To: linux-bluetooth
As we will need those paths to lock down on them.
---
Makefile.am | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index e391d7ae8..2ba25e687 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -28,14 +28,14 @@ AM_CFLAGS = $(MISC_CFLAGS) $(WARNING_CFLAGS) $(UDEV_CFLAGS) $(LIBEBOOK_CFLAGS) \
$(LIBEDATASERVER_CFLAGS) $(ell_cflags)
AM_LDFLAGS = $(MISC_LDFLAGS)
+confdir = $(sysconfdir)/bluetooth
+statedir = $(localstatedir)/lib/bluetooth
+
if DATAFILES
dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
dbus_DATA = src/bluetooth.conf
-confdir = $(sysconfdir)/bluetooth
conf_DATA =
-
-statedir = $(localstatedir)/lib/bluetooth
state_DATA =
endif
--
2.34.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
2022-01-26 11:36 [PATCH 1/4] build: Always define confdir and statedir Bastien Nocera
@ 2022-01-26 11:36 ` Bastien Nocera
2022-01-26 11:36 ` [PATCH 3/4] systemd: Add more filesystem lockdown Bastien Nocera
` (3 subsequent siblings)
4 siblings, 0 replies; 12+ messages in thread
From: Bastien Nocera @ 2022-01-26 11:36 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Craig Andrews
From: Craig Andrews <candrews@integralblue.com>
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
namespace. This is useful to secure access to temporary files of the
process.
NoNewPrivileges ensures that service process and all its children
can never gain new privileges through execve(), lowering the risk of
possible privilege escalations.
---
src/bluetooth.service.in | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index f9faaa452..7c2f60bb4 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -12,8 +12,14 @@ NotifyAccess=main
#Restart=on-failure
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
LimitNPROC=1
+
+# Filesystem lockdown
ProtectHome=true
ProtectSystem=full
+PrivateTmp=true
+
+# Privilege escalation
+NoNewPrivileges=true
[Install]
WantedBy=bluetooth.target
--
2.34.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 3/4] systemd: Add more filesystem lockdown
2022-01-26 11:36 [PATCH 1/4] build: Always define confdir and statedir Bastien Nocera
2022-01-26 11:36 ` [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options Bastien Nocera
@ 2022-01-26 11:36 ` Bastien Nocera
2022-01-26 11:36 ` [PATCH 4/4] systemd: More lockdown Bastien Nocera
` (2 subsequent siblings)
4 siblings, 0 replies; 12+ messages in thread
From: Bastien Nocera @ 2022-01-26 11:36 UTC (permalink / raw)
To: linux-bluetooth
We can only access the configuration file as read-only and read-write
to the Bluetooth cache directory and sub-directories.
---
Makefile.am | 3 +++
src/bluetooth.service.in | 4 ++++
2 files changed, 7 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index 2ba25e687..82125c482 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -622,6 +622,9 @@ MAINTAINERCLEANFILES = Makefile.in \
SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
$(SED) -e 's,@pkglibexecdir\@,$(pkglibexecdir),g' \
+ -e 's,@libexecdir\@,$(libexecdir),g' \
+ -e 's,@statedir\@,$(statedir),g' \
+ -e 's,@confdir\@,$(confdir),g' \
< $< > $@
if RUN_RST2MAN
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index 7c2f60bb4..4daedef2a 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -17,6 +17,10 @@ LimitNPROC=1
ProtectHome=true
ProtectSystem=full
PrivateTmp=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ReadWritePaths=@statedir@
+ReadOnlyPaths=@confdir@
# Privilege escalation
NoNewPrivileges=true
--
2.34.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 4/4] systemd: More lockdown
2022-01-26 11:36 [PATCH 1/4] build: Always define confdir and statedir Bastien Nocera
2022-01-26 11:36 ` [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options Bastien Nocera
2022-01-26 11:36 ` [PATCH 3/4] systemd: Add more filesystem lockdown Bastien Nocera
@ 2022-01-26 11:36 ` Bastien Nocera
2022-01-26 11:38 ` [PATCH 1/4] build: Always define confdir and statedir Bastien Nocera
2022-01-26 14:07 ` [1/4] " bluez.test.bot
4 siblings, 0 replies; 12+ messages in thread
From: Bastien Nocera @ 2022-01-26 11:36 UTC (permalink / raw)
To: linux-bluetooth
bluetoothd does not need to execute mapped memory, or real-time
access, so block those.
---
src/bluetooth.service.in | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index 4daedef2a..f18801866 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -22,9 +22,15 @@ ProtectControlGroups=true
ReadWritePaths=@statedir@
ReadOnlyPaths=@confdir@
+# Execute Mappings
+MemoryDenyWriteExecute=true
+
# Privilege escalation
NoNewPrivileges=true
+# Real-time
+RestrictRealtime=true
+
[Install]
WantedBy=bluetooth.target
Alias=dbus-org.bluez.service
--
2.34.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH 1/4] build: Always define confdir and statedir
2022-01-26 11:36 [PATCH 1/4] build: Always define confdir and statedir Bastien Nocera
` (2 preceding siblings ...)
2022-01-26 11:36 ` [PATCH 4/4] systemd: More lockdown Bastien Nocera
@ 2022-01-26 11:38 ` Bastien Nocera
2022-01-26 13:31 ` Marcel Holtmann
2022-01-26 14:07 ` [1/4] " bluez.test.bot
4 siblings, 1 reply; 12+ messages in thread
From: Bastien Nocera @ 2022-01-26 11:38 UTC (permalink / raw)
To: linux-bluetooth
Some patches from 2017 to use systemd lockdown. They've been used for 5
years by Fedora and RHEL.
Cheers
On Wed, 2022-01-26 at 12:36 +0100, Bastien Nocera wrote:
> As we will need those paths to lock down on them.
> ---
> Makefile.am | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/Makefile.am b/Makefile.am
> index e391d7ae8..2ba25e687 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -28,14 +28,14 @@ AM_CFLAGS = $(MISC_CFLAGS) $(WARNING_CFLAGS)
> $(UDEV_CFLAGS) $(LIBEBOOK_CFLAGS) \
> $(LIBEDATASERVER_CFLAGS)
> $(ell_cflags)
> AM_LDFLAGS = $(MISC_LDFLAGS)
>
> +confdir = $(sysconfdir)/bluetooth
> +statedir = $(localstatedir)/lib/bluetooth
> +
> if DATAFILES
> dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
> dbus_DATA = src/bluetooth.conf
>
> -confdir = $(sysconfdir)/bluetooth
> conf_DATA =
> -
> -statedir = $(localstatedir)/lib/bluetooth
> state_DATA =
> endif
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 1/4] build: Always define confdir and statedir
2022-01-26 11:38 ` [PATCH 1/4] build: Always define confdir and statedir Bastien Nocera
@ 2022-01-26 13:31 ` Marcel Holtmann
2022-01-26 13:45 ` Bastien Nocera
0 siblings, 1 reply; 12+ messages in thread
From: Marcel Holtmann @ 2022-01-26 13:31 UTC (permalink / raw)
To: Bastien Nocera; +Cc: linux-bluetooth
Hi Bastien,
> Some patches from 2017 to use systemd lockdown. They've been used for 5
> years by Fedora and RHEL.
>
>> As we will need those paths to lock down on them.
>> ---
>> Makefile.am | 6 +++---
>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/Makefile.am b/Makefile.am
>> index e391d7ae8..2ba25e687 100644
>> --- a/Makefile.am
>> +++ b/Makefile.am
>> @@ -28,14 +28,14 @@ AM_CFLAGS = $(MISC_CFLAGS) $(WARNING_CFLAGS)
>> $(UDEV_CFLAGS) $(LIBEBOOK_CFLAGS) \
>> $(LIBEDATASERVER_CFLAGS)
>> $(ell_cflags)
>> AM_LDFLAGS = $(MISC_LDFLAGS)
>>
>> +confdir = $(sysconfdir)/bluetooth
>> +statedir = $(localstatedir)/lib/bluetooth
>> +
>> if DATAFILES
>> dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
>> dbus_DATA = src/bluetooth.conf
>>
>> -confdir = $(sysconfdir)/bluetooth
>> conf_DATA =
>> -
>> -statedir = $(localstatedir)/lib/bluetooth
>> state_DATA =
>> endif
>>
seems I missed that one. Can you please be more specific what this change does.
Regards
Marcel
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 1/4] build: Always define confdir and statedir
2022-01-26 13:31 ` Marcel Holtmann
@ 2022-01-26 13:45 ` Bastien Nocera
2022-02-01 9:32 ` Bastien Nocera
0 siblings, 1 reply; 12+ messages in thread
From: Bastien Nocera @ 2022-01-26 13:45 UTC (permalink / raw)
To: Marcel Holtmann; +Cc: linux-bluetooth
On Wed, 2022-01-26 at 14:31 +0100, Marcel Holtmann wrote:
> Hi Bastien,
>
> > Some patches from 2017 to use systemd lockdown. They've been used
> > for 5
> > years by Fedora and RHEL.
> >
> > > As we will need those paths to lock down on them.
> > > ---
> > > Makefile.am | 6 +++---
> > > 1 file changed, 3 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/Makefile.am b/Makefile.am
> > > index e391d7ae8..2ba25e687 100644
> > > --- a/Makefile.am
> > > +++ b/Makefile.am
> > > @@ -28,14 +28,14 @@ AM_CFLAGS = $(MISC_CFLAGS) $(WARNING_CFLAGS)
> > > $(UDEV_CFLAGS) $(LIBEBOOK_CFLAGS) \
> > > $(LIBEDATASERVER_CFLAGS)
> > > $(ell_cflags)
> > > AM_LDFLAGS = $(MISC_LDFLAGS)
> > >
> > > +confdir = $(sysconfdir)/bluetooth
> > > +statedir = $(localstatedir)/lib/bluetooth
> > > +
> > > if DATAFILES
> > > dbusdir = $(DBUS_CONFDIR)/dbus-1/system.d
> > > dbus_DATA = src/bluetooth.conf
> > >
> > > -confdir = $(sysconfdir)/bluetooth
> > > conf_DATA =
> > > -
> > > -statedir = $(localstatedir)/lib/bluetooth
> > > state_DATA =
> > > endif
> > >
>
> seems I missed that one. Can you please be more specific what this
> change does.
This change specifically? Check the next patches in the series, and
you'll see pretty quickly.
For the rest of the patchset, check this man page for details on each
of the directives:
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Security
There's a fair amount of other directives we could use on top of those
ones, but we can add them iteratively (and it makes bisecting easier,
in case we forget about a particular use case).
Cheers
^ permalink raw reply [flat|nested] 12+ messages in thread
* RE: [1/4] build: Always define confdir and statedir
2022-01-26 11:36 [PATCH 1/4] build: Always define confdir and statedir Bastien Nocera
` (3 preceding siblings ...)
2022-01-26 11:38 ` [PATCH 1/4] build: Always define confdir and statedir Bastien Nocera
@ 2022-01-26 14:07 ` bluez.test.bot
2022-01-31 18:45 ` Luiz Augusto von Dentz
4 siblings, 1 reply; 12+ messages in thread
From: bluez.test.bot @ 2022-01-26 14:07 UTC (permalink / raw)
To: linux-bluetooth, hadess
[-- Attachment #1: Type: text/plain, Size: 998 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=608628
---Test result---
Test Summary:
CheckPatch PASS 5.68 seconds
GitLint PASS 3.84 seconds
Prep - Setup ELL PASS 41.84 seconds
Build - Prep PASS 0.71 seconds
Build - Configure PASS 8.38 seconds
Build - Make PASS 1292.67 seconds
Make Check PASS 11.33 seconds
Make Check w/Valgrind PASS 448.95 seconds
Make Distcheck PASS 231.67 seconds
Build w/ext ELL - Configure PASS 8.74 seconds
Build w/ext ELL - Make PASS 1305.94 seconds
Incremental Build with patchesPASS 5303.63 seconds
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [1/4] build: Always define confdir and statedir
2022-01-26 14:07 ` [1/4] " bluez.test.bot
@ 2022-01-31 18:45 ` Luiz Augusto von Dentz
0 siblings, 0 replies; 12+ messages in thread
From: Luiz Augusto von Dentz @ 2022-01-31 18:45 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Bastien Nocera
Hi Bastien,
On Wed, Jan 26, 2022 at 1:28 PM <bluez.test.bot@gmail.com> wrote:
>
> This is automated email and please do not reply to this email!
>
> Dear submitter,
>
> Thank you for submitting the patches to the linux bluetooth mailing list.
> This is a CI test results with your patch series:
> PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=608628
>
> ---Test result---
>
> Test Summary:
> CheckPatch PASS 5.68 seconds
> GitLint PASS 3.84 seconds
> Prep - Setup ELL PASS 41.84 seconds
> Build - Prep PASS 0.71 seconds
> Build - Configure PASS 8.38 seconds
> Build - Make PASS 1292.67 seconds
> Make Check PASS 11.33 seconds
> Make Check w/Valgrind PASS 448.95 seconds
> Make Distcheck PASS 231.67 seconds
> Build w/ext ELL - Configure PASS 8.74 seconds
> Build w/ext ELL - Make PASS 1305.94 seconds
> Incremental Build with patchesPASS 5303.63 seconds
>
>
>
> ---
> Regards,
> Linux Bluetooth
Applied, thanks.
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 1/4] build: Always define confdir and statedir
2022-01-26 13:45 ` Bastien Nocera
@ 2022-02-01 9:32 ` Bastien Nocera
2022-04-12 19:48 ` Luiz Augusto von Dentz
0 siblings, 1 reply; 12+ messages in thread
From: Bastien Nocera @ 2022-02-01 9:32 UTC (permalink / raw)
To: Marcel Holtmann; +Cc: linux-bluetooth
On Wed, 2022-01-26 at 14:45 +0100, Bastien Nocera wrote:
> This change specifically? Check the next patches in the series, and
> you'll see pretty quickly.
>
> For the rest of the patchset, check this man page for details on each
> of the directives:
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Security
>
> There's a fair amount of other directives we could use on top of
> those
> ones, but we can add them iteratively (and it makes bisecting easier,
> in case we forget about a particular use case).
Did you have any more questions about this patchset?
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 1/4] build: Always define confdir and statedir
2022-02-01 9:32 ` Bastien Nocera
@ 2022-04-12 19:48 ` Luiz Augusto von Dentz
0 siblings, 0 replies; 12+ messages in thread
From: Luiz Augusto von Dentz @ 2022-04-12 19:48 UTC (permalink / raw)
To: Bastien Nocera; +Cc: Marcel Holtmann, linux-bluetooth
Hi Bastien,
On Wed, Feb 2, 2022 at 5:55 AM Bastien Nocera <hadess@hadess.net> wrote:
>
> On Wed, 2022-01-26 at 14:45 +0100, Bastien Nocera wrote:
> > This change specifically? Check the next patches in the series, and
> > you'll see pretty quickly.
> >
> > For the rest of the patchset, check this man page for details on each
> > of the directives:
> > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Security
> >
> > There's a fair amount of other directives we could use on top of
> > those
> > ones, but we can add them iteratively (and it makes bisecting easier,
> > in case we forget about a particular use case).
>
> Did you have any more questions about this patchset?
Looks like we have some problems with these changes:
https://github.com/bluez/bluez/issues/329
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options
2017-09-20 11:48 [PATCH 1/4] " Bastien Nocera
@ 2017-09-20 11:48 ` Bastien Nocera
0 siblings, 0 replies; 12+ messages in thread
From: Bastien Nocera @ 2017-09-20 11:48 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Craig Andrews
From: Craig Andrews <candrews@integralblue.com>
PrivateTmp makes bluetoothd's /tmp and /var/tmp be inside a different
namespace. This is useful to secure access to temporary files of the
process.
NoNewPrivileges ensures that service process and all its children
can never gain new privileges through execve(), lowering the risk of
possible privilege escalations.
---
src/bluetooth.service.in | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in
index f799f65f0..a6f3030f9 100644
--- a/src/bluetooth.service.in
+++ b/src/bluetooth.service.in
@@ -12,8 +12,14 @@ NotifyAccess=main
#Restart=on-failure
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
LimitNPROC=1
+
+# Filesystem lockdown
ProtectHome=true
ProtectSystem=full
+PrivateTmp=true
+
+# Privilege escalation
+NoNewPrivileges=true
[Install]
WantedBy=bluetooth.target
--
2.14.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
end of thread, other threads:[~2022-04-12 19:54 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-26 11:36 [PATCH 1/4] build: Always define confdir and statedir Bastien Nocera
2022-01-26 11:36 ` [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options Bastien Nocera
2022-01-26 11:36 ` [PATCH 3/4] systemd: Add more filesystem lockdown Bastien Nocera
2022-01-26 11:36 ` [PATCH 4/4] systemd: More lockdown Bastien Nocera
2022-01-26 11:38 ` [PATCH 1/4] build: Always define confdir and statedir Bastien Nocera
2022-01-26 13:31 ` Marcel Holtmann
2022-01-26 13:45 ` Bastien Nocera
2022-02-01 9:32 ` Bastien Nocera
2022-04-12 19:48 ` Luiz Augusto von Dentz
2022-01-26 14:07 ` [1/4] " bluez.test.bot
2022-01-31 18:45 ` Luiz Augusto von Dentz
-- strict thread matches above, loose matches on Subject: below --
2017-09-20 11:48 [PATCH 1/4] " Bastien Nocera
2017-09-20 11:48 ` [PATCH 2/4] systemd: Add PrivateTmp and NoNewPrivileges options Bastien Nocera
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).