]> git.ipfire.org Git - thirdparty/util-linux.git/commitdiff
projects / thirdparty / util-linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cc999cc)
uuidd: Whitelist libuuid clock file
authorStanislav Brabec <sbrabec@suse.cz>
Tue, 25 Jan 2022 10:50:21 +0000 (11:50 +0100)
committerKarel Zak <kzak@redhat.com>
Tue, 25 Jan 2022 10:50:21 +0000 (11:50 +0100)
Return back ProtectSystem to strict, and enable access to
/var/lib/libuuid only.

Note: As LIBUUID_CLOCK_FILE does not use @localstatedir@, we use
/var here as well.

Signed-off-by: Ali Abdallah <ali.abdallah@suse.com>
Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
Signed-off-by: Karel Zak <kzak@redhat.com>
misc-utils/uuidd.service.in patch | blob | blame | history

diff --git a/misc-utils/uuidd.service.in b/misc-utils/uuidd.service.in
index 065b4a194771be34f07cb408ef9773eb9ceb260d..e64ca59b521bec362390ccea6645eb66b1fc939a 100644 (file)
--- a/misc-utils/uuidd.service.in
+++ b/misc-utils/uuidd.service.in
@@ -8,6 +8,7 @@ ExecStart=@usrsbin_execdir@/uuidd --socket-activation
 Restart=no
 User=uuidd
 Group=uuidd
+ProtectSystem=strict
 ProtectHome=yes
 PrivateDevices=yes
 PrivateNetwork=yes
@@ -17,6 +18,7 @@ ProtectKernelModules=yes
 ProtectControlGroups=yes
 RestrictAddressFamilies=AF_UNIX
 MemoryDenyWriteExecute=yes
+ReadWritePaths=/var/lib/libuuid/
 SystemCallFilter=@default @file-system @basic-io @system-service @signal @io-event @network-io
 
 [Install]
Unnamed repository; edit this file 'description' to name the repository.