39 lines
879 B
SYSTEMD
39 lines
879 B
SYSTEMD
[Unit]
|
|
Documentation=https://gitlab.postmarketos.org/postmarketOS/buffybox
|
|
|
|
[Service]
|
|
ExecStart=@bindir@/buffyboard
|
|
Restart=on-failure
|
|
|
|
# Allow access to input devices, framebuffer, tty
|
|
DevicePolicy=closed
|
|
DeviceAllow=/dev/uinput rw
|
|
DeviceAllow=char-fb rw
|
|
DeviceAllow=char-input rw
|
|
DeviceAllow=char-tty rw
|
|
# udev requires some limited networking
|
|
RestrictAddressFamilies=AF_NETLINK
|
|
|
|
# Hardening
|
|
CapabilityBoundingSet=
|
|
NoNewPrivileges=true
|
|
RestrictSUIDSGID=true
|
|
PrivateMounts=true
|
|
PrivateTmp=true
|
|
PrivateUsers=true
|
|
ProtectClock=true
|
|
ProtectControlGroups=true
|
|
ProtectHome=true
|
|
ProtectHostname=true
|
|
ProtectKernelLogs=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelTunables=true
|
|
ProtectSystem=strict
|
|
RemoveIPC=true
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@system-service
|
|
SystemCallFilter=~@privileged
|
|
SystemCallFilter=~@resources
|