From: Stanislav Brabec <sbrabec@suse.cz>
Date: Tue, 25 Jan 2022 10:50:21 +0000 (+0100)
Subject: uuidd: Whitelist libuuid clock file
X-Git-Tag: v2.38-rc1~36
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=417982d0236a12756923d88e627f5e4facf8951c;p=thirdparty%2Futil-linux.git

uuidd: Whitelist libuuid clock file

Return back ProtectSystem to strict, and enable access to
/var/lib/libuuid only.

Note: As LIBUUID_CLOCK_FILE does not use @localstatedir@, we use
/var here as well.

Signed-off-by: Ali Abdallah <ali.abdallah@suse.com>
Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
Signed-off-by: Karel Zak <kzak@redhat.com>
---

diff --git a/misc-utils/uuidd.service.in b/misc-utils/uuidd.service.in
index 065b4a1947..e64ca59b52 100644
--- a/misc-utils/uuidd.service.in
+++ b/misc-utils/uuidd.service.in
@@ -8,6 +8,7 @@ ExecStart=@usrsbin_execdir@/uuidd --socket-activation
 Restart=no
 User=uuidd
 Group=uuidd
+ProtectSystem=strict
 ProtectHome=yes
 PrivateDevices=yes
 PrivateNetwork=yes
@@ -17,6 +18,7 @@ ProtectKernelModules=yes
 ProtectControlGroups=yes
 RestrictAddressFamilies=AF_UNIX
 MemoryDenyWriteExecute=yes
+ReadWritePaths=/var/lib/libuuid/
 SystemCallFilter=@default @file-system @basic-io @system-service @signal @io-event @network-io
 
 [Install]