From 417982d0236a12756923d88e627f5e4facf8951c Mon Sep 17 00:00:00 2001
From: Stanislav Brabec <sbrabec@suse.cz>
Date: Tue, 25 Jan 2022 11:50:21 +0100
Subject: [PATCH] uuidd: Whitelist libuuid clock file

Return back ProtectSystem to strict, and enable access to
/var/lib/libuuid only.

Note: As LIBUUID_CLOCK_FILE does not use @localstatedir@, we use
/var here as well.

Signed-off-by: Ali Abdallah <ali.abdallah@suse.com>
Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
Signed-off-by: Karel Zak <kzak@redhat.com>
---
 misc-utils/uuidd.service.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/misc-utils/uuidd.service.in b/misc-utils/uuidd.service.in
index 065b4a1947..e64ca59b52 100644
--- a/misc-utils/uuidd.service.in
+++ b/misc-utils/uuidd.service.in
@@ -8,6 +8,7 @@ ExecStart=@usrsbin_execdir@/uuidd --socket-activation
 Restart=no
 User=uuidd
 Group=uuidd
+ProtectSystem=strict
 ProtectHome=yes
 PrivateDevices=yes
 PrivateNetwork=yes
@@ -17,6 +18,7 @@ ProtectKernelModules=yes
 ProtectControlGroups=yes
 RestrictAddressFamilies=AF_UNIX
 MemoryDenyWriteExecute=yes
+ReadWritePaths=/var/lib/libuuid/
 SystemCallFilter=@default @file-system @basic-io @system-service @signal @io-event @network-io
 
 [Install]
-- 
2.47.3