Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[dsme] Sandbox the dsme service. JB#44449, JB#37897
  • Loading branch information
krnlyng committed Jun 11, 2019
1 parent 5dd2347 commit 1494f8c
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions rpm/dsme.service
Expand Up @@ -19,6 +19,22 @@ RestartSec=1
StartLimitInterval=600
StartLimitBurst=3
StartLimitAction=reboot
# Sandboxing
CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_LOCK CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_WAKE_ALARM
# System update uses /tmp/os-update-running which should be relocated
PrivateTmp=no
PrivateNetwork=true
ProtectHome=yes
ProtectSystem=full
DevicePolicy=closed
DeviceAllow=char-rtc rw
DeviceAllow=/dev/alarm rw
DeviceAllow=char-input r
DeviceAllow=/dev/watchdog rw
DeviceAllow=/dev/watchdog0 rw
DeviceAllow=/dev/watchdog1 rw
DeviceAllow=/dev/twl4030_wdt rw
DeviceAllow=/dev/console rw

[Install]
WantedBy=multi-user.target

0 comments on commit 1494f8c

Please sign in to comment.