diff --git a/keyd.service b/keyd.service index 14aa26d..5aba97d 100644 --- a/keyd.service +++ b/keyd.service @@ -7,5 +7,41 @@ After=local-fs.target Type=simple ExecStart=/usr/bin/keyd +ProtectProc=noaccess +ProcSubset=pid +ProtectSystem=strict +ProtectHome=true +ReadOnlyPaths=/etc/keyd +PrivateTmp=true +DeviceAllow=input +DeviceAllow=uinput +ProtectHostname=true +ProtectClock=true + +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictNamespaces=true + +RemoveIPC=true +RestrictAddressFamilies=AF_UNIX +PrivateNetwork=true +IPAddressDeny=any + +NoNewPrivileges=true +LockPersonality=true +MemoryDenyWriteExecute=true +RestrictRealtime=true +RestrictSUIDSGID=true + +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged + +CapabilityBoundingSet=CAP_SETGID CAP_SYS_NICE + +UMask=177 + [Install] WantedBy=sysinit.target