From fcd7e9bc7676f3510866b4d33e65c65d365550d1 Mon Sep 17 00:00:00 2001
From: Benjamin Berg <bberg@redhat.com>
Date: Tue, 29 Jun 2021 20:48:16 +0200
Subject: [PATCH] data: Only allow access to USB and SPI devices

That is all that fprintd. Note that ProtectClock already restricts
device access and other device types need to be listed explicitly
because of this.
---
 data/fprintd.service.in | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/data/fprintd.service.in b/data/fprintd.service.in
index 02bd13e..ef20c1d 100644
--- a/data/fprintd.service.in
+++ b/data/fprintd.service.in
@@ -32,3 +32,8 @@ RestrictRealtime=true
 
 # Privilege escalation
 NoNewPrivileges=true
+
+# Protect clock, allow USB and SPI device access
+ProtectClock=yes
+DeviceAllow=char-usb_device rw
+DeviceAllow=char-spi rw