From c91939710b506fbafe4190b8dd5ee7b1d75394a8 Mon Sep 17 00:00:00 2001
From: James Valleroy <jvalleroy@mailbox.org>
Date: Sat, 21 Dec 2019 16:55:50 -0500
Subject: [PATCH] storage: Add systemd sandboxing features to udiskie service

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 .../lib/systemd/system/freedombox-udiskie.service    | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/plinth/modules/storage/data/lib/systemd/system/freedombox-udiskie.service b/plinth/modules/storage/data/lib/systemd/system/freedombox-udiskie.service
index a905d999c..99dfb5f69 100644
--- a/plinth/modules/storage/data/lib/systemd/system/freedombox-udiskie.service
+++ b/plinth/modules/storage/data/lib/systemd/system/freedombox-udiskie.service
@@ -21,6 +21,18 @@ Documentation=man:udiskie(1)
 
 [Service]
 ExecStart=/usr/bin/udiskie
+LockPersonality=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=full
+RestrictAddressFamilies=AF_UNIX
+RestrictRealtime=yes
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target