From dd1bf796cbee639bbca1b9b299b744eb6c245780 Mon Sep 17 00:00:00 2001
From: Bryan Quigley <code@bryanquigley.com>
Date: Thu, 18 Feb 2021 21:40:00 -0800
Subject: [PATCH] systemd: add sandboxing and slice similar to pulseaudio

Adds as much sandboxing as seems to work with user sessions.
Adds pipewire to session slice per https://systemd.io/DESKTOP_ENVIRONMENTS/

Inspired from https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/blob/master/src/daemon/systemd/user/pulseaudio.service.in

Fixes: 763
---
 src/daemon/systemd/user/pipewire-pulse.service.in | 7 +++++++
 src/daemon/systemd/user/pipewire.service.in       | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/src/daemon/systemd/user/pipewire-pulse.service.in b/src/daemon/systemd/user/pipewire-pulse.service.in
index 252716170..fb3e2d508 100644
--- a/src/daemon/systemd/user/pipewire-pulse.service.in
+++ b/src/daemon/systemd/user/pipewire-pulse.service.in
@@ -17,9 +17,16 @@ Requires=pipewire-pulse.socket
 ConditionUser=!root
 
 [Service]
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+RestrictNamespaces=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
 Type=simple
 ExecStart=@PW_PULSE_BINARY@
 Restart=on-failure
+Slice=session.slice
 
 [Install]
 Also=pipewire-pulse.socket
diff --git a/src/daemon/systemd/user/pipewire.service.in b/src/daemon/systemd/user/pipewire.service.in
index 71cfc262d..2303418b1 100644
--- a/src/daemon/systemd/user/pipewire.service.in
+++ b/src/daemon/systemd/user/pipewire.service.in
@@ -16,9 +16,16 @@ Description=Multimedia Service
 Requires=pipewire.socket
 
 [Service]
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+RestrictNamespaces=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
 Type=simple
 ExecStart=@PW_BINARY@
 Restart=on-failure
+Slice=session.slice
 
 [Install]
 Also=pipewire.socket