diff --git a/hardening/systemd/acpid.nix b/hardening/systemd/acpid.nix
index 934f7c5..b47d56d 100644
--- a/hardening/systemd/acpid.nix
+++ b/hardening/systemd/acpid.nix
@@ -35,6 +35,7 @@
       PrivateDevices = false; # acpi needs device access
       PrivateNetwork = false; # required for netlink to work properly
       NoNewPrivileges = false; # acpi hooks might want to execute things at higher/different access
+      ProcSubset = "all"; # requires access to /proc/acpi
       RestrictAddressFamilies = [
         "AF_NETLINK"
         "AF_UNIX"
diff --git a/hardening/systemd/bluetooth.nix b/hardening/systemd/bluetooth.nix
index 8832dc2..5302fcd 100644
--- a/hardening/systemd/bluetooth.nix
+++ b/hardening/systemd/bluetooth.nix
@@ -3,13 +3,25 @@
   config.systemd.services = lib.mkIf (config.specialisation != { }) {
     bluetooth.serviceConfig = {
       CapabilityBoundingSet = [
-        ""
+        "CAP_NET_BIND_SERVICE" # sockets and tethering
+      ];
+      RestrictAddressFamilies = [
+        "AF_UNIX" # sockets
+        "AF_INET" # tethering
+        "AF_INET6" # tethering
+        "AF_NETLINK" # deamon callback
       ];
       NoNewPrivileges = true;
-      RestrictNamespaces = "pid";
+      RestrictNamespaces = [
+          "~pid"
+          "~user"
+          "~net"
+          "~uts"
+          "~mnt"
+          "~cgroup"
+          "~ipc"
+        ];
       ProtectControlGroups = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
       MemoryDenyWriteExecute = true;
       RestrictSUIDSGID = true;
       SystemCallArchitectures = "native";
@@ -17,7 +29,16 @@
       LockPersonality = true;
       RestrictRealtime = true;
       ProtectProc = "invisible";
-      PrivateUsers = true;
+      PrivateTmp = true;
+      
+      PrivateUsers = false;
+
+      # loading hardware modules
+      ProtectKernelModules = false;
+      ProtectKernelTunables = false;
+
+      PrivateNetwork = false; # tethering
+
     };
 
     blueman-mechanism.serviceConfig = {