Files
buffybox/buffyboard/buffyboard.service.in
2024-11-02 10:10:15 +00:00

39 lines
879 B
SYSTEMD

[Unit]
Documentation=https://gitlab.postmarketos.org/postmarketOS/buffybox
[Service]
ExecStart=@bindir@/buffyboard
Restart=on-failure
# Allow access to input devices, framebuffer, tty
DevicePolicy=closed
DeviceAllow=/dev/uinput rw
DeviceAllow=char-fb rw
DeviceAllow=char-input rw
DeviceAllow=char-tty rw
# udev requires some limited networking
RestrictAddressFamilies=AF_NETLINK
# Hardening
CapabilityBoundingSet=
NoNewPrivileges=true
RestrictSUIDSGID=true
PrivateMounts=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
RemoveIPC=true
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources