From 2926a491dd603a7ad482a928440efba63caa2acb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matti=20Lehtim=C3=A4ki?= <matti.lehtimaki@jolla.com>
Date: Tue, 21 May 2019 18:09:29 +0300
Subject: [PATCH] [sensorfw] Sandbox the sensorfwd service. JB#37897 JB#44449

---
 rpm/sensorfwd.service | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/rpm/sensorfwd.service b/rpm/sensorfwd.service
index 0b9b674b..5db1294c 100644
--- a/rpm/sensorfwd.service
+++ b/rpm/sensorfwd.service
@@ -11,6 +11,12 @@ ExecStart=/usr/sbin/sensorfwd -c=/etc/sensorfw/primaryuse.conf --systemd --log-l
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=always
 RestartSec=1
+# Sandboxing
+CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_FOWNER
+PrivateNetwork=true
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=full
 
 [Install]
 WantedBy=graphical.target