data: Restrict syscall usage of fprintd

fprintd only needs very few syscalls. Mainly normal IO operations and ioctl for USB access. All of this is covered by @system-service, we could likely restrict it quite a bit more though.
author: Benjamin Berg <bberg@redhat.com> 2021-06-29 21:10:59 +0200
committer: Benjamin Berg <bberg@redhat.com> 2021-06-29 21:10:59 +0200
commit: 7aecec1449b8fdfc78453cfd4259aa2af97e557a (patch)
tree: 240dcd915336fac7992983ac965015da704cd05d
parent: 0f7340130e6231503b76019799b9458ee27ab92c (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/data/fprintd.service.in b/data/fprintd.service.in
index 8ff9fc9..47297f9 100644
--- a/data/fprintd.service.in
+++ b/data/fprintd.service.in
@@ -18,6 +18,8 @@ StateDirectoryMode=0700
 ProtectHome=true
 PrivateTmp=true
 
+SystemCallFilter=@system-service
+
 # Network
 PrivateNetwork=true
 RestrictAddressFamilies=AF_UNIX AF_LOCAL AF_NETLINK
author	Benjamin Berg <bberg@redhat.com>	2021-06-29 21:10:59 +0200
committer	Benjamin Berg <bberg@redhat.com>	2021-06-29 21:10:59 +0200
commit	7aecec1449b8fdfc78453cfd4259aa2af97e557a (patch)
tree	240dcd915336fac7992983ac965015da704cd05d
parent	0f7340130e6231503b76019799b9458ee27ab92c (diff)