···

       
868
       
868
       
 
       
            "amshan"

     

       
869
       
869
       
 
       
            "benqprojector"

     

       
870
       
870
       
 
       
          ];

     

       
871
       
871
       
+
       
          componentsUsingInputDevices = [

     

       
872
       
872
       
+
       
            # Components that require access to input devices (/dev/input/*)

     

       
873
       
873
       
+
       
            "keyboard_remote"

     

       
874
       
874
       
+
       
          ];

     

       
871
       
875
       
 
       
        in

     

       
872
       
876
       
 
       
        {

     

       
873
       
877
       
 
       
          ExecStart = escapeSystemdExecArgs (

     
···

       
898
       
902
       
 
       
          # Hardening

     

       
899
       
903
       
 
       
          AmbientCapabilities = capabilities;

     

       
900
       
904
       
 
       
          CapabilityBoundingSet = capabilities;

     

       
901
       
901
       
-
       
          DeviceAllow = (

     

       
905
       
905
       
+
       
          DeviceAllow =

     

       
902
       
906
       
 
       
            optionals (any useComponent componentsUsingSerialDevices) [

     

       
903
       
907
       
 
       
              "char-ttyACM rw"

     

       
904
       
908
       
 
       
              "char-ttyAMA rw"

     

       
905
       
909
       
 
       
              "char-ttyUSB rw"

     

       
906
       
910
       
 
       
            ]

     

       
907
       
907
       
-
       
          );

     

       
911
       
911
       
+
       
            ++ optionals (any useComponent componentsUsingInputDevices) [

     

       
912
       
912
       
+
       
              "char-input rw"

     

       
913
       
913
       
+
       
            ];

     

       
908
       
914
       
 
       
          DevicePolicy = "closed";

     

       
909
       
915
       
 
       
          LockPersonality = true;

     

       
910
       
916
       
 
       
          MemoryDenyWriteExecute = true;

     
···

       
946
       
952
       
 
       
          RestrictNamespaces = true;

     

       
947
       
953
       
 
       
          RestrictRealtime = true;

     

       
948
       
954
       
 
       
          RestrictSUIDSGID = true;

     

       
949
       
949
       
-
       
          SupplementaryGroups = optionals (any useComponent componentsUsingSerialDevices) [

     

       
950
       
950
       
-
       
            "dialout"

     

       
951
       
951
       
-
       
          ];

     

       
955
       
955
       
+
       
          SupplementaryGroups =

     

       
956
       
956
       
+
       
            optionals (any useComponent componentsUsingSerialDevices) [

     

       
957
       
957
       
+
       
              "dialout"

     

       
958
       
958
       
+
       
            ]

     

       
959
       
959
       
+
       
            ++ optionals (any useComponent componentsUsingInputDevices) [

     

       
960
       
960
       
+
       
              "input"

     

       
961
       
961
       
+
       
            ];

     

       
952
       
962
       
 
       
          SystemCallArchitectures = "native";

     

       
953
       
963
       
 
       
          SystemCallFilter = [

     

       
954
       
964
       
 
       
            "@system-service"