feat(framework): enable fprintd service (#326)

Containerfile

@@ -100,11 +100,13 @@ RUN ostree container commit
 # Image for Framework laptops
 FROM bluefin AS bluefin-framework
 
+COPY framework/etc /etc
 COPY framework/usr /usr
 
 RUN rpm-ostree install tlp tlp-rdw stress-ng
 RUN rpm-ostree override remove power-profiles-daemon
 RUN systemctl enable tlp
+RUN systemctl enable fprintd.service
 
 RUN rm -rf /tmp/* /var/*
 RUN ostree container commit

framework/etc/systemd/system/fprintd.service

@@ -0,0 +1,48 @@
+[Unit]
+Description=Fingerprint Authentication Daemon
+Documentation=man:fprintd(1)
+
+[Service]
+Type=dbus
+BusName=net.reactivated.Fprint
+ExecStart=/usr/libexec/fprintd
+
+# Filesystem lockdown
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+# This always corresponds to /var/lib/fprint
+StateDirectory=fprint
+StateDirectoryMode=0700
+ProtectHome=true
+PrivateTmp=true
+
+SystemCallFilter=@system-service
+
+# Network
+RestrictAddressFamilies=AF_UNIX AF_LOCAL AF_NETLINK
+
+# Execute Mappings
+MemoryDenyWriteExecute=true
+
+# Modules
+ProtectKernelModules=true
+
+# Real-time
+RestrictRealtime=true
+
+# Privilege escalation
+NoNewPrivileges=true
+
+# Protect clock, allow USB and SPI device access
+ProtectClock=yes
+DeviceAllow=char-usb_device rw
+DeviceAllow=char-spi rw
+DeviceAllow=char-hidraw rw
+
+# Allow tuning USB parameters (wakeup and persist)
+ReadWritePaths=/sys/devices
+
+[Install] 
+WantedBy=multi-user.target