From 089eab04b06623ee1a35678562e8c3adbd8f0a28 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Mon, 17 Oct 2016 18:25:08 +0200
Subject: [PATCH] systemd: tighten the service security a bit

What's left enabled:

* Access to /dev -- obviously
* CAP_SYS_ADMIN -- this is needed by TIOCSSERIAL only. Too bad this also
  allows TIOCSTI, which allows for code injection unless something else
  (SELinux) disallows access to ttys with shells.
  Maybe kernel should use CAP_SYS_TTY_CONFIG for this.
* socket(AF_NETLINK) -- udev & kernel device changes
* socket(AF_UNIX) -- D-Bus
---
 data/ModemManager.service.in | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/data/ModemManager.service.in b/data/ModemManager.service.in
index 9fe3a3b..aac4ab0 100644
--- a/data/ModemManager.service.in
+++ b/data/ModemManager.service.in
@@ -8,6 +8,12 @@ BusName=org.freedesktop.ModemManager1
 ExecStart=@sbindir@/ModemManager
 StandardError=null
 Restart=on-abort
+CapabilityBoundingSet=CAP_SYS_ADMIN
+ProtectSystem=true
+ProtectHome=true
+PrivateTmp=true
+RestrictAddressFamilies=AF_NETLINK AF_UNIX
+NoNewPrivileges=true
 
 [Install]
 WantedBy=multi-user.target
-- 
2.7.4