From 36d3d9d7494828fdf58e8be9908f8932472e3ee0 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Thu, 5 Jan 2017 12:55:48 +0100
Subject: [PATCH] data: Lockdown the fprintd service

Give read-write access to USB devices in /dev, and the location of the
fingerprints, access to Unix sockets for D-Bus and
close everything else down.

See systemd.exec(5) for details about the options.
---
 data/Makefile.am        |  2 +-
 data/fprintd.service.in | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/data/Makefile.am b/data/Makefile.am
index d71c5c5..6043b08 100644
--- a/data/Makefile.am
+++ b/data/Makefile.am
@@ -15,7 +15,7 @@ if HAVE_SYSTEMD
 systemdservicedir       = $(systemdsystemunitdir)
 systemdservice_DATA     = $(systemdservice_in_files:.service.in=.service)
 $(systemdservice_DATA): $(systemdservice_in_files) Makefile
-	@sed -e "s|\@libexecdir\@|$(libexecdir)|" $< > $@
+	@sed -e "s|\@libexecdir\@|$(libexecdir)|" -e "s|\@localstatedir\@|$(localstatedir)|" $< > $@
 endif
 
 polkitdir = $(datadir)/polkit-1/actions
diff --git a/data/fprintd.service.in b/data/fprintd.service.in
index cbf88d4..150e58a 100644
--- a/data/fprintd.service.in
+++ b/data/fprintd.service.in
@@ -6,3 +6,23 @@ Documentation=man:fprintd(1)
 Type=dbus
 BusName=net.reactivated.Fprint
 ExecStart=@libexecdir@/fprintd
+
+# Filesystem lockdown
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ReadWritePaths=@localstatedir@/lib/fprint
+ProtectHome=true
+PrivateTmp=true
+
+# Network
+PrivateNetwork=true
+
+# Execute Mappings
+MemoryDenyWriteExecute=true
+
+# Modules
+ProtectKernelModules=true
+
+# Real-time
+RestrictRealtime=true