From 72f3bc6fa461a2899a06c87c137c7135e410e387 Mon Sep 17 00:00:00 2001
From: Robert Helgesson <robert@rycee.net>
Date: Sat, 14 Aug 2021 15:13:31 +0200
Subject: [PATCH] flameshot: add some service sandboxing

---
 modules/services/flameshot.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/modules/services/flameshot.nix b/modules/services/flameshot.nix
index ed523561..8a0d6db2 100644
--- a/modules/services/flameshot.nix
+++ b/modules/services/flameshot.nix
@@ -34,6 +34,15 @@ in {
         Environment = "PATH=${config.home.profileDirectory}/bin";
         ExecStart = "${package}/bin/flameshot";
         Restart = "on-abort";
+
+        # Sandboxing.
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateUsers = true;
+        RestrictNamespaces = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "@system-service";
       };
     };
   };