From 4ffd57f83d9cc36c8908c42bcf3d452392bb0e60 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Thu, 4 Jun 2015 14:30:02 +0200
Subject: [PATCH] service: harden the NetworkManager service a bit

Tested with dnsmasq (ipv4.method=shared), openvpn & vpnc.

https://bugzilla.gnome.org/show_bug.cgi?id=750598
---
 data/NetworkManager.service.in | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/data/NetworkManager.service.in b/data/NetworkManager.service.in
index 980573d31c..42b43e381b 100644
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@@ -11,6 +11,9 @@ ExecStart=@sbindir@/NetworkManager --no-daemon
 Restart=on-failure
 # NM doesn't want systemd to kill its children for it
 KillMode=process
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE
+ProtectSystem=true
+ProtectHome=read-only
 
 [Install]
 WantedBy=multi-user.target