Give read-write access to USB devices in /dev, and the location of the fingerprints, access to Unix sockets for D-Bus and close everything else down. See systemd.exec(5) for details about the options.
It's just better if we get activated via systemd rather than dbus. Various bits of configury/makefile taken from polkit. https://bugs.freedesktop.org/show_bug.cgi?id=58468
