From 24caa93a7c0b8c65f54f54f1022158ad5ec2857e Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Wed, 29 Jan 2025 21:11:30 +0100 Subject: [PATCH] fix bluetooth --- hardening/systemd/acpid.nix | 1 + hardening/systemd/bluetooth.nix | 31 ++++++++++++++++++++++++++----- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/hardening/systemd/acpid.nix b/hardening/systemd/acpid.nix index 934f7c5..b47d56d 100644 --- a/hardening/systemd/acpid.nix +++ b/hardening/systemd/acpid.nix @@ -35,6 +35,7 @@ PrivateDevices = false; # acpi needs device access PrivateNetwork = false; # required for netlink to work properly NoNewPrivileges = false; # acpi hooks might want to execute things at higher/different access + ProcSubset = "all"; # requires access to /proc/acpi RestrictAddressFamilies = [ "AF_NETLINK" "AF_UNIX" diff --git a/hardening/systemd/bluetooth.nix b/hardening/systemd/bluetooth.nix index 8832dc2..5302fcd 100644 --- a/hardening/systemd/bluetooth.nix +++ b/hardening/systemd/bluetooth.nix @@ -3,13 +3,25 @@ config.systemd.services = lib.mkIf (config.specialisation != { }) { bluetooth.serviceConfig = { CapabilityBoundingSet = [ - "" + "CAP_NET_BIND_SERVICE" # sockets and tethering + ]; + RestrictAddressFamilies = [ + "AF_UNIX" # sockets + "AF_INET" # tethering + "AF_INET6" # tethering + "AF_NETLINK" # deamon callback ]; NoNewPrivileges = true; - RestrictNamespaces = "pid"; + RestrictNamespaces = [ + "~pid" + "~user" + "~net" + "~uts" + "~mnt" + "~cgroup" + "~ipc" + ]; ProtectControlGroups = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; MemoryDenyWriteExecute = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; @@ -17,7 +29,16 @@ LockPersonality = true; RestrictRealtime = true; ProtectProc = "invisible"; - PrivateUsers = true; + PrivateTmp = true; + + PrivateUsers = false; + + # loading hardware modules + ProtectKernelModules = false; + ProtectKernelTunables = false; + + PrivateNetwork = false; # tethering + }; blueman-mechanism.serviceConfig = {