[sensorfw] Sandbox the sensorfwd service. JB#37897 JB#44449

sailfishos · Feb 4, 2020 · 2926a49 · 2926a49
1 parent 043fb68
commit 2926a49
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/rpm/sensorfwd.service b/rpm/sensorfwd.service
@@ -11,6 +11,12 @@ ExecStart=/usr/sbin/sensorfwd -c=/etc/sensorfw/primaryuse.conf --systemd --log-l
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=always
 RestartSec=1
+# Sandboxing
+CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_FOWNER
+PrivateNetwork=true
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=full
 
 [Install]
 WantedBy=graphical.target