From 99b317d4f702061ee6f8d8f16cf953296b68f1ba Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Wed, 14 Dec 2016 10:53:49 +0000
Subject: [PATCH] Use more restrictive settings when running under systemd

---
 data/fwupd.service.in | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/data/fwupd.service.in b/data/fwupd.service.in
index f3306df8d..dd175033c 100644
--- a/data/fwupd.service.in
+++ b/data/fwupd.service.in
@@ -9,4 +9,14 @@ ConditionPathExists=/var/lib/fwupd/pending.db
 Type=dbus
 BusName=org.freedesktop.fwupd
 ExecStart=@servicedir@/fwupd/fwupd
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=full
+RestrictAddressFamilies=AF_NETLINK AF_UNIX
+RestrictRealtime=yes