The modem manager systemd service https://cgit.freedesktop.org/ModemManager/ModemManager/tree/data/org.freedesktop.ModemManager1.service.in would benefit from hardening. I suggest that these lines be added to the service: PrivateTmp=true ProtectSystem=full NoNewPrivileges=true ProtectHome=true CapabilityBoundingSet= should be set, but unfortunately I don't know to what value, and I don't have a modem to actually test with to confirm. see https://www.freedesktop.org/software/systemd/man/systemd.exec.html
Hey Craig, Thanks for the report. I'm going to set this bug as duplicate of a newer one, just because that one already has a suggested patch I can apply :) Looking at the differences between your suggestion and the list suggested in the new patch, I just see ProtectSystem being different (full vs true), which I don't think it's an issue anyway because MM doesn't use /etc. *** This bug has been marked as a duplicate of bug 98296 ***
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.