From e13acf74dd4418bc7c913ad111eb75dd4cbaf82d Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 15 May 2012 15:05:17 +0200
Subject: systemd: secure rtkit service a bit

---
 rtkit-daemon.service.in | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'rtkit-daemon.service.in')

diff --git a/rtkit-daemon.service.in b/rtkit-daemon.service.in
index 5b82a82..3dfefa6 100644
--- a/rtkit-daemon.service.in
+++ b/rtkit-daemon.service.in
@@ -23,6 +23,9 @@ ExecStart=@LIBEXECDIR@/rtkit-daemon
 Type=dbus
 BusName=org.freedesktop.RealtimeKit1
 NotifyAccess=main
+CapabilityBoundingSet=CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_SYS_CHROOT CAP_SETGID CAP_SETUID
+PrivateTmp=yes
+PrivateNetwork=yes
 
 # Work around the fact that the Linux currently doesn't assign any RT
 # budget to CPU control groups that have none configured explicitly
-- 
cgit