data: Add additional fprintd lockdown

author: Bastien Nocera <hadess@hadess.net> 2020-10-02 14:17:38 +0200
committer: Benjamin Berg <benjamin@sipsolutions.net> 2020-10-13 09:28:39 +0000
commit: 2fd86624e502687775901e65b005802d47fe7106 (patch)
tree: d7b909b20989a3867fd6382788ec55b71245fa75 /data
parent: 6dc699ae6fec2e2ff644b0d7b9c3665d3d302336 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/data/fprintd.service.in b/data/fprintd.service.in
index 9ea7a2a..daca723 100644
--- a/data/fprintd.service.in
+++ b/data/fprintd.service.in
@@ -15,6 +15,8 @@ ProtectControlGroups=true
 StateDirectory=fprint
 ProtectHome=true
 PrivateTmp=true
+ProtectKernelLogs=yes
+SystemCallFilter=@system-service
 
 # Network
 PrivateNetwork=true
@@ -31,3 +33,8 @@ RestrictRealtime=true
 
 # Privilege escalation
 NoNewPrivileges=true
+TasksMax=1
+
+# Capabilities
+CapabilityBoundingSet=
+ProtectClock=yes
author	Bastien Nocera <hadess@hadess.net>	2020-10-02 14:17:38 +0200
committer	Benjamin Berg <benjamin@sipsolutions.net>	2020-10-13 09:28:39 +0000
commit	2fd86624e502687775901e65b005802d47fe7106 (patch)
tree	d7b909b20989a3867fd6382788ec55b71245fa75 /data
parent	6dc699ae6fec2e2ff644b0d7b9c3665d3d302336 (diff)