Improve fm-shim-backend security and D-Bus error handling

[assisted-by-ai]

Summary

This PR enhances the security and robustness of the fm-shim-backend service by implementing file descriptor cleanup in child processes, improving D-Bus error handling, and adding systemd hardening options.

Key Changes

File Descriptor Management:

• Added automatic cleanup of inherited file descriptors (except stdin/stdout/stderr) in child processes by scanning /proc/self/fd before executing the frontend process
• Prevents accidental leakage of sensitive file descriptors to child processes

D-Bus Improvements:

• Changed D-Bus name request to use DBUS_NAME_FLAG_DO_NOT_QUEUE flag, preventing the service from queuing if the name is already taken
• Converted queued name request from a warning to a fatal error, treating it as a security issue
• Added proper D-Bus error replies for invalid object paths, interfaces, and methods instead of silently ignoring them
• Added cleanup of D-Bus connection and error data structures on exit

Systemd Hardening:

• Added security-focused systemd service options:
  • NoNewPrivileges=yes - Prevents privilege escalation
  • ProtectSystem=strict - Read-only access to system directories
  • ProtectHome=read-only - Read-only access to home directory
  • PrivateTmp=yes - Private temporary directory
  • RestrictNamespaces=yes - Restrict namespace creation
  • RestrictRealtime=yes - Disable real-time scheduling
  • MemoryDenyWriteExecute=yes - Prevent executable memory allocation
  • LockPersonality=yes - Lock process personality

Implementation Details

• Uses opendir() and readdir() to enumerate file descriptors safely
• Validates file descriptor numbers using strtol() with proper error checking
• Maintains compatibility by preserving the directory file descriptor during enumeration
• D-Bus error replies are only sent when the client expects a reply

https://claude.ai/code/session_01CgrrFhhVWtqtfhvJdEcBWm