From b7c6f70ae3dde7c82f631edf6521c56775360338 Mon Sep 17 00:00:00 2001
From: George Kiagiadakis <george.kiagiadakis@collabora.com>
Date: Tue, 23 Feb 2021 15:56:38 +0200
Subject: [PATCH] systemd: add sandboxing also for the system service

Based on dd1bf796cbee639bbca1b9b299b744eb6c245780
and https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/blob/master/src/daemon/systemd/user/pulseaudio.service.in

See also: #763
---
 src/daemon/systemd/system/pipewire.service.in | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/daemon/systemd/system/pipewire.service.in b/src/daemon/systemd/system/pipewire.service.in
index 543dc7a60..5bdb2c77d 100644
--- a/src/daemon/systemd/system/pipewire.service.in
+++ b/src/daemon/systemd/system/pipewire.service.in
@@ -15,6 +15,12 @@ Description=Multimedia Service
 Requires=pipewire.socket
 
 [Service]
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+RestrictNamespaces=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
 Type=simple
 ExecStart=@PW_BINARY@
 Restart=on-failure