systemd/systemd-services: add unit file for fprintd (MR 6205)

[ci:skip-build]: already built successfully in CI

extra-repos/systemd/systemd-services/APKBUILD

@@ -7,7 +7,7 @@
 # How to add a new service file (5 steps):
 pkgname=systemd-services
 # 1. bump pkgver
-pkgver=48
+pkgver=49
 pkgrel=0
 pkgdesc="Systemd service files"
 url="https://postmarketos.org"
@@ -30,6 +30,7 @@ subpackages="
 	evolution-data-server-systemd:_service
 	flatpak-systemd:_service
 	fnott-systemd:_service
+	fprintd-systemd:_service
 	geoclue-systemd:_service
 	gnome-clocks-systemd:_service
 	gnome-terminal-systemd:_service
@@ -114,6 +115,7 @@ _flatpak_sources="
 # - https://github.com/flatpak/flatpak/tree/main/env.d
 # - https://github.com/flatpak/flatpak/tree/main/data/tmpfiles.d
 _fnott_sources="user/fnott.service"
+_fprintd_sources="system/fprintd.service" # From https://gitlab.freedesktop.org/libfprint/fprintd/-/blob/master/data/fprintd.service.in
 _geoclue_sources="system/geoclue.service" # From https://gitlab.freedesktop.org/geoclue/geoclue/-/blob/master/data/geoclue.service.in
 _gnome_clocks_sources="user/gnome-clocks.service"
 _gnome_terminal_sources="user/gnome-terminal-server.service" # From https://gitlab.gnome.org/GNOME/gnome-terminal/-/blob/master/src/gnome-terminal-server.service.in
@@ -186,6 +188,7 @@ source="$(flatpath \
 	$_evolution_data_server_sources \
 	$_flatpak_sources \
 	$_fnott_sources \
+	$_fprintd_sources \
 	$_geoclue_sources \
 	$_gnome_clocks_sources \
 	$_gnome_terminal_sources \
@@ -344,6 +347,7 @@ f73df99518af1fd13f96342f561d43b69ebf757cdfd4444cee61665d5bfaa715c5be458cb44feb4a
 2d1337da0d1ac7ea5d6ffefbe05621970fef491278028589f5095ee6072867977eca7a68a997d6870e450546c2077d999207fadb568ab611833769555bfb5c64  user-environment-generators-60-flatpak
 ae2d20da95e519041f6eca39dd140895b2c46284f0894c60a29cf56b87704805146ddc2435e46e7fffbfc8bcab2cabceb32a10804ba1b648e2ed041c0b056102  tmpfiles.d-flatpak.conf
 2ea000042483130762700cd1b409100407bf844d7683a46dfa7bd4b48a84bfc81278339449647a45c216ad3fb23173bf268a5761a733d367e805c75193c79ee8  user-fnott.service
+c86ffe994aa78b3d68c3956c54255c9479d832c4a2fd3905deec6ef620871bacf60f7a9cb7ef9a3dfd7993354d4590b8b5efef3159274477857c3ead614dee02  system-fprintd.service
 f3463b85ac47055b400dfd2e24694c5e1dc6ab039efac0fe54496fc027c0732cda5e52a362a497b372dea671dc615154e8abfea866728d243cbbcd25e68a91aa  system-geoclue.service
 bc7987a001d2076788d904f1ea6d3e97a2ab905ee55302ffb90402133c2b9fb760d7ad94e06971d811b9d905048e164cb78355f8cd087219b5b8ff6dab2fbd9c  user-gnome-clocks.service
 ccf803ac6a764570a98845f0b0ddcde0529943472ce4cc3dc904501883a51fda482d7aef3b84fac89590e869fecdcec9142a6eac3db8ae73782a5e29f32eaae1  user-gnome-terminal-server.service

extra-repos/systemd/systemd-services/system-fprintd.service

+[Unit]
+Description=Fingerprint Authentication Daemon
+Documentation=man:fprintd(1)
+
+[Service]
+Type=dbus
+BusName=net.reactivated.Fprint
+ExecStart=/usr/libexec/fprintd
+
+# Filesystem lockdown
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+# This always corresponds to /var/lib/fprint
+StateDirectory=fprint
+StateDirectoryMode=0700
+ProtectHome=true
+PrivateTmp=true
+
+SystemCallFilter=@system-service
+
+# Network
+RestrictAddressFamilies=AF_UNIX AF_LOCAL AF_NETLINK
+
+# Execute Mappings
+MemoryDenyWriteExecute=true
+
+# Modules
+ProtectKernelModules=true
+
+# Real-time
+RestrictRealtime=true
+
+# Privilege escalation
+NoNewPrivileges=true
+
+# Protect clock, allow USB and SPI device access
+ProtectClock=yes
+DeviceAllow=char-usb_device rw
+DeviceAllow=char-spi rw
+DeviceAllow=char-hidraw rw
+DeviceAllow=/dev/cros_fp rw
+
+# Allow tuning USB parameters (wakeup and persist)
+ReadWritePaths=/sys/devices