Skip to content

Commit

Permalink
nixos/bluetooth: add systemd hardening
Browse files Browse the repository at this point in the history
  • Loading branch information
@LordGrimmauld
LordGrimmauld committed Jan 30, 2025
1 parent bb136ef commit cae9b03
Showing 1 changed file with 36 additions and 7 deletions.
43 changes: 36 additions & 7 deletions nixos/modules/services/hardware/bluetooth.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ let
package = cfg.package;

inherit (lib)
mkDefault
mkEnableOption
mkIf
mkOption
Expand All @@ -18,9 +17,7 @@ let
mkRemovedOptionModule
concatStringsSep
escapeShellArgs
literalExpression
optional
optionals
optionalAttrs
recursiveUpdate
types
Expand Down Expand Up @@ -146,10 +143,42 @@ in
{
wantedBy = [ "bluetooth.target" ];
aliases = [ "dbus-org.bluez.service" ];
serviceConfig.ExecStart = [
""
"${package}/libexec/bluetooth/bluetoothd ${escapeShellArgs args}"
];
serviceConfig = {
ExecStart = [
""
"${package}/libexec/bluetooth/bluetoothd ${escapeShellArgs args}"
];
CapabilityBoundingSet = [
"CAP_NET_BIND_SERVICE" # sockets and tethering
];
NoNewPrivileges = true;
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
ProtectControlGroups = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
PrivateTmp = true;

PrivateUsers = false;

# loading hardware modules
ProtectKernelModules = false;
ProtectKernelTunables = false;

PrivateNetwork = false; # tethering
};
# restarting can leave people without a mouse/keyboard
unitConfig.X-RestartIfChanged = false;
};
Expand Down

0 comments on commit cae9b03

Please sign in to comment.