From 01ebf9d86c52a658726ac1602c4fdff00b856914 Mon Sep 17 00:00:00 2001
From: Expertcoderz <expertcoderzx@gmail.com>
Date: Mon, 11 Dec 2023 02:18:53 +0000
Subject: [PATCH 1/2] Configure systemd security features

---
 keyd.service | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/keyd.service b/keyd.service
index 14aa26d8..84b65174 100644
--- a/keyd.service
+++ b/keyd.service
@@ -7,5 +7,41 @@ After=local-fs.target
 Type=simple
 ExecStart=/usr/bin/keyd
 
+ProtectProc=noaccess
+ProcSubset=pid
+ProtectSystem=strict
+ProtectHome=true
+ReadOnlyPaths=/etc/keyd
+PrivateTmp=true
+DeviceAllow=char-input
+DeviceAllow=/dev/uinput
+ProtectHostname=true
+ProtectClock=true
+
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictNamespaces=true
+
+RemoveIPC=true
+RestrictAddressFamilies=AF_UNIX
+PrivateNetwork=true
+IPAddressDeny=any
+
+NoNewPrivileges=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
+
+CapabilityBoundingSet=CAP_SETGID CAP_SYS_NICE
+
+UMask=177
+
 [Install]
 WantedBy=sysinit.target

From 82e63f90b8927bb1038b50a739e91b48af670506 Mon Sep 17 00:00:00 2001
From: Expertcoderz <expertcoderzx@gmail.com>
Date: Fri, 5 Jan 2024 09:07:54 +0000
Subject: [PATCH 2/2] Set ProtectProc to invisible

---
 keyd.service | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/keyd.service b/keyd.service
index 84b65174..3017714e 100644
--- a/keyd.service
+++ b/keyd.service
@@ -7,7 +7,7 @@ After=local-fs.target
 Type=simple
 ExecStart=/usr/bin/keyd
 
-ProtectProc=noaccess
+ProtectProc=invisible
 ProcSubset=pid
 ProtectSystem=strict
 ProtectHome=true