systemd: tighten the service security a bit

What's left enabled: * Access to /dev -- obviously * CAP_SYS_ADMIN -- this is needed by TIOCSSERIAL only. Too bad this also allows TIOCSTI, which allows for code injection unless something else (SELinux) disallows access to ttys with shells. Maybe kernel should use CAP_SYS_TTY_CONFIG for this. * socket(AF_NETLINK) -- udev & kernel device changes * socket(AF_UNIX) -- D-Bus
author: Lubomir Rintel <lkundrak@v3.sk> 2016-10-17 18:25:08 +0200
committer: Aleksander Morgado <aleksander@aleksander.es> 2016-10-24 13:15:15 +0200
commit: ccea14ac476737535124b6e9e553fcdc57b67529 (patch)
tree: 918cac1d1b1e358aa3d1edf7a12aef30fe2d0e03 /data
parent: da2b0064eec3ff7710ef2efd79df53b426d6ef7a (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/data/ModemManager.service.in b/data/ModemManager.service.in
index 9fe3a3bc..aac4ab05 100644
--- a/data/ModemManager.service.in
+++ b/data/ModemManager.service.in
@@ -8,6 +8,12 @@ BusName=org.freedesktop.ModemManager1
 ExecStart=@sbindir@/ModemManager
 StandardError=null
 Restart=on-abort
+CapabilityBoundingSet=CAP_SYS_ADMIN
+ProtectSystem=true
+ProtectHome=true
+PrivateTmp=true
+RestrictAddressFamilies=AF_NETLINK AF_UNIX
+NoNewPrivileges=true
 
 [Install]
 WantedBy=multi-user.target
author	Lubomir Rintel <lkundrak@v3.sk>	2016-10-17 18:25:08 +0200
committer	Aleksander Morgado <aleksander@aleksander.es>	2016-10-24 13:15:15 +0200
commit	ccea14ac476737535124b6e9e553fcdc57b67529 (patch)
tree	918cac1d1b1e358aa3d1edf7a12aef30fe2d0e03 /data
parent	da2b0064eec3ff7710ef2efd79df53b426d6ef7a (diff)