From 2fd86624e502687775901e65b005802d47fe7106 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Fri, 2 Oct 2020 14:17:38 +0200
Subject: [PATCH] data: Add additional fprintd lockdown

---
 data/fprintd.service.in | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/data/fprintd.service.in b/data/fprintd.service.in
index 9ea7a2a..daca723 100644
--- a/data/fprintd.service.in
+++ b/data/fprintd.service.in
@@ -15,6 +15,8 @@ ProtectControlGroups=true
 StateDirectory=fprint
 ProtectHome=true
 PrivateTmp=true
+ProtectKernelLogs=yes
+SystemCallFilter=@system-service
 
 # Network
 PrivateNetwork=true
@@ -31,3 +33,8 @@ RestrictRealtime=true
 
 # Privilege escalation
 NoNewPrivileges=true
+TasksMax=1
+
+# Capabilities
+CapabilityBoundingSet=
+ProtectClock=yes