Bug 98296

Summary: systemd: tighten the service security a bit
Product: ModemManager Reporter: Lubomir Rintel <lkundrak>
Component: generalAssignee: ModemManager bug user <modemmanager>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium CC: candrews
Version: git master   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: systemd: tighten the service security a bit

Description Lubomir Rintel 2016-10-17 16:31:11 UTC 
Created attachment 127365 [details] [review]
systemd: tighten the service security a bit

What's left enabled:
    
    * Access to /dev -- obviously
    * CAP_SYS_ADMIN -- this is needed by TIOCSSERIAL only. Too bad this also
      allows TIOCSTI, which allows for code injection unless something else
      (SELinux) disallows access to ttys with shells.
      Maybe kernel should use CAP_SYS_TTY_CONFIG for this.
    * socket(AF_NETLINK) -- udev & kernel device changes
    * socket(AF_UNIX) -- D-Bus
Comment 1 Aleksander Morgado 2016-10-24 11:18:02 UTC 
*** Bug 96725 has been marked as a duplicate of this bug. ***
Comment 2 Aleksander Morgado 2016-10-24 11:19:07 UTC 
Pushed to git master, thanks!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.