diff --git a/nixos/modules/services/hardware/bluetooth.nix b/nixos/modules/services/hardware/bluetooth.nix index e90a612700cc1b..a7316103c10b9b 100644 --- a/nixos/modules/services/hardware/bluetooth.nix +++ b/nixos/modules/services/hardware/bluetooth.nix @@ -9,7 +9,6 @@ let package = cfg.package; inherit (lib) - mkDefault mkEnableOption mkIf mkOption @@ -18,9 +17,7 @@ let mkRemovedOptionModule concatStringsSep escapeShellArgs - literalExpression optional - optionals optionalAttrs recursiveUpdate types @@ -146,10 +143,42 @@ in { wantedBy = [ "bluetooth.target" ]; aliases = [ "dbus-org.bluez.service" ]; - serviceConfig.ExecStart = [ - "" - "${package}/libexec/bluetooth/bluetoothd ${escapeShellArgs args}" - ]; + serviceConfig = { + ExecStart = [ + "" + "${package}/libexec/bluetooth/bluetoothd ${escapeShellArgs args}" + ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" # sockets and tethering + ]; + NoNewPrivileges = true; + RestrictNamespaces = [ + "~pid" + "~user" + "~net" + "~uts" + "~mnt" + "~cgroup" + "~ipc" + ]; + ProtectControlGroups = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + LockPersonality = true; + RestrictRealtime = true; + ProtectProc = "invisible"; + PrivateTmp = true; + + PrivateUsers = false; + + # loading hardware modules + ProtectKernelModules = false; + ProtectKernelTunables = false; + + PrivateNetwork = false; # tethering + }; # restarting can leave people without a mouse/keyboard unitConfig.X-RestartIfChanged = false; };