Loading nixos/modules/services/hardware/bluetooth.nix +29 −8 Original line number Diff line number Diff line Loading @@ -2,6 +2,7 @@ config, lib, pkgs, utils, ... }: let Loading @@ -9,7 +10,6 @@ let package = cfg.package; inherit (lib) mkDefault mkEnableOption mkIf mkOption Loading @@ -17,10 +17,7 @@ let mkRenamedOptionModule mkRemovedOptionModule concatStringsSep escapeShellArgs literalExpression optional optionals optionalAttrs recursiveUpdate types Loading Loading @@ -146,10 +143,34 @@ in { wantedBy = [ "bluetooth.target" ]; aliases = [ "dbus-org.bluez.service" ]; serviceConfig.ExecStart = [ serviceConfig = { ExecStart = [ "" "${package}/libexec/bluetooth/bluetoothd ${escapeShellArgs args}" "${package}/libexec/bluetooth/bluetoothd ${utils.escapeSystemdExecArgs args}" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" # sockets and tethering ]; NoNewPrivileges = true; RestrictNamespaces = true; ProtectControlGroups = true; MemoryDenyWriteExecute = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = "@system-service"; LockPersonality = true; RestrictRealtime = true; ProtectProc = "invisible"; PrivateTmp = true; PrivateUsers = false; # loading hardware modules ProtectKernelModules = false; ProtectKernelTunables = false; PrivateNetwork = false; # tethering }; # restarting can leave people without a mouse/keyboard unitConfig.X-RestartIfChanged = false; }; Loading Loading
nixos/modules/services/hardware/bluetooth.nix +29 −8 Original line number Diff line number Diff line Loading @@ -2,6 +2,7 @@ config, lib, pkgs, utils, ... }: let Loading @@ -9,7 +10,6 @@ let package = cfg.package; inherit (lib) mkDefault mkEnableOption mkIf mkOption Loading @@ -17,10 +17,7 @@ let mkRenamedOptionModule mkRemovedOptionModule concatStringsSep escapeShellArgs literalExpression optional optionals optionalAttrs recursiveUpdate types Loading Loading @@ -146,10 +143,34 @@ in { wantedBy = [ "bluetooth.target" ]; aliases = [ "dbus-org.bluez.service" ]; serviceConfig.ExecStart = [ serviceConfig = { ExecStart = [ "" "${package}/libexec/bluetooth/bluetoothd ${escapeShellArgs args}" "${package}/libexec/bluetooth/bluetoothd ${utils.escapeSystemdExecArgs args}" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" # sockets and tethering ]; NoNewPrivileges = true; RestrictNamespaces = true; ProtectControlGroups = true; MemoryDenyWriteExecute = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = "@system-service"; LockPersonality = true; RestrictRealtime = true; ProtectProc = "invisible"; PrivateTmp = true; PrivateUsers = false; # loading hardware modules ProtectKernelModules = false; ProtectKernelTunables = false; PrivateNetwork = false; # tethering }; # restarting can leave people without a mouse/keyboard unitConfig.X-RestartIfChanged = false; }; Loading
