From 18a7a1eac0587ad505cf580bb850aecaf3c7b971 Mon Sep 17 00:00:00 2001 From: Colin Date: Sat, 12 Oct 2024 05:11:16 +0000 Subject: [PATCH] add buffyboard systemd service this is an optional feature. systemd distributions wishing to deploy buffyboard may add `WantedBy=getty.target` to the Install section. --- buffyboard/buffyboard.service.in | 38 ++++++++++++++++++++++++++++++++ buffyboard/meson.build | 14 ++++++++++++ meson_options.txt | 1 + 3 files changed, 53 insertions(+) create mode 100644 buffyboard/buffyboard.service.in diff --git a/buffyboard/buffyboard.service.in b/buffyboard/buffyboard.service.in new file mode 100644 index 0000000..333f6b0 --- /dev/null +++ b/buffyboard/buffyboard.service.in @@ -0,0 +1,38 @@ +[Unit] +Documentation=https://gitlab.postmarketos.org/postmarketOS/buffybox + +[Service] +ExecStart=@bindir@/buffyboard +Restart=on-failure + +# Allow access to input devices, framebuffer, tty +DevicePolicy=closed +DeviceAllow=/dev/uinput rw +DeviceAllow=char-fb rw +DeviceAllow=char-input rw +DeviceAllow=char-tty rw +# udev requires some limited networking +RestrictAddressFamilies=AF_NETLINK + +# Hardening +CapabilityBoundingSet= +NoNewPrivileges=true +RestrictSUIDSGID=true +PrivateMounts=true +PrivateTmp=true +PrivateUsers=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +RemoveIPC=true +LockPersonality=true +MemoryDenyWriteExecute=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged +SystemCallFilter=~@resources diff --git a/buffyboard/meson.build b/buffyboard/meson.build index b80c42f..7f5ae07 100644 --- a/buffyboard/meson.build +++ b/buffyboard/meson.build @@ -24,3 +24,17 @@ executable('buffyboard', install_data('buffyboard.conf', install_dir: get_option('sysconfdir')) +systemd = dependency('systemd', required: get_option('systemd-service')) +if systemd.found() + system_unit_dir = systemd.get_variable(pkgconfig: 'systemd_system_unit_dir') + + configure_file( + input : 'buffyboard.service.in', + output : 'buffyboard.service', + install : true, + install_dir : get_option('prefix') / system_unit_dir, + configuration : { + 'bindir' : get_option('prefix') / get_option('bindir'), + }, + ) +endif diff --git a/meson_options.txt b/meson_options.txt index 23c6547..9a1b385 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -1,2 +1,3 @@ option('with-drm', type: 'feature', value: 'auto', description: 'Enable DRM backend') option('man', type: 'boolean', value: true, description: 'Install manual pages') +option('systemd-buffyboard-service', type: 'bool', value: 'auto', description: 'Install systemd service file for buffyboard')