From 7aecec1449b8fdfc78453cfd4259aa2af97e557a Mon Sep 17 00:00:00 2001
From: Benjamin Berg <bberg@redhat.com>
Date: Tue, 29 Jun 2021 21:10:59 +0200
Subject: [PATCH] data: Restrict syscall usage of fprintd

fprintd only needs very few syscalls. Mainly normal IO operations and
ioctl for USB access. All of this is covered by @system-service, we
could likely restrict it quite a bit more though.
---
 data/fprintd.service.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/data/fprintd.service.in b/data/fprintd.service.in
index 8ff9fc9..47297f9 100644
--- a/data/fprintd.service.in
+++ b/data/fprintd.service.in
@@ -18,6 +18,8 @@ StateDirectoryMode=0700
 ProtectHome=true
 PrivateTmp=true
 
+SystemCallFilter=@system-service
+
 # Network
 PrivateNetwork=true
 RestrictAddressFamilies=AF_UNIX AF_LOCAL AF_NETLINK