From 16c489490c0e450ea4240f822a46d18475f0d601 Mon Sep 17 00:00:00 2001
From: Marcel Holtmann <marcel@holtmann.org>
Date: Sat, 3 Aug 2019 09:52:28 +0200
Subject: [PATCH] build: Fix issue with incorrect ReadWritePaths in unit files

---
 Makefile.am          | 6 ++++--
 configure.ac         | 3 +++
 src/iwd.service.in   | 2 +-
 wired/ead.service.in | 9 +++++++++
 4 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 41ac0745..d3f37e01 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -568,8 +568,10 @@ ell/ell.h: Makefile
 		echo "#include <$$f>" >> $@ ; \
 	done
 
-SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
-		$(SED) -e 's,@libexecdir\@,$(libexecdir),g' \
+SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && $(SED) \
+		-e 's,@libexecdir\@,$(libexecdir),g' \
+		-e 's,@daemon_storagedir\@,$(daemon_storagedir),g' \
+		-e 's,@wired_storagedir\@,$(wired_storagedir),g' \
 		< $< > $@
 
 %.service: %.service.in Makefile
diff --git a/configure.ac b/configure.ac
index 43f8eb23..19c43020 100644
--- a/configure.ac
+++ b/configure.ac
@@ -116,6 +116,9 @@ else
 	wired_storagedir="${localstatedir}/lib/ead"
 fi
 
+AC_SUBST([daemon_storagedir], [${daemon_storagedir}])
+AC_SUBST([wired_storagedir], [${wired_storagedir}])
+
 AC_DEFINE_UNQUOTED(DAEMON_STORAGEDIR, "${daemon_storagedir}",
 			[Directory for Wireless daemon storage files])
 AC_DEFINE_UNQUOTED(DAEMON_CONFIGDIR, "/etc/iwd",
diff --git a/src/iwd.service.in b/src/iwd.service.in
index 9bf48245..9ebea5cd 100644
--- a/src/iwd.service.in
+++ b/src/iwd.service.in
@@ -15,7 +15,7 @@ DevicePolicy=closed
 DeviceAllow=/dev/rfkill rw
 ProtectHome=yes
 ProtectSystem=strict
-ReadWritePaths=/var/lib/iwd/
+ReadWritePaths=@daemon_storagedir@
 ProtectControlGroups=yes
 ProtectKernelModules=yes
 
diff --git a/wired/ead.service.in b/wired/ead.service.in
index 4fc18304..812901db 100644
--- a/wired/ead.service.in
+++ b/wired/ead.service.in
@@ -8,6 +8,15 @@ Type=dbus
 BusName=net.connman.ead
 ExecStart=@libexecdir@/ead
 LimitNPROC=1
+Restart=on-failure
+PrivateTmp=true
+NoNewPrivileges=true
+PrivateDevices=true
+ProtectHome=yes
+ProtectSystem=strict
+ReadWritePaths=@wired_storagedir@
+ProtectControlGroups=yes
+ProtectKernelModules=yes
 
 [Install]
 WantedBy=multi-user.target