|
Nikola Pajkovsky |
8ea10cc |
[Unit]
|
|
 |
b163339 |
Description=Console Mouse Manager
|
|
|
d6d037f |
ConditionVirtualization=!container
|
|
Nikola Pajkovsky |
8ea10cc |
|
|
Nikola Pajkovsky |
8ea10cc |
# This could probably benefit from socket activation, but honestly I think it
|
|
Nikola Pajkovsky |
8ea10cc |
# is time for gpm to go away, and hence I am not planning to spend the time
|
|
Nikola Pajkovsky |
8ea10cc |
# to add socket activation here.
|
|
Nikola Pajkovsky |
8ea10cc |
|
|
Nikola Pajkovsky |
8ea10cc |
[Service]
|
|
|
b163339 |
ExecStart=gpm -m /dev/input/mice -t exps2
|
|
Nikola Pajkovsky |
032fe79 |
Type=forking
|
|
 |
ead099d |
PIDFile=/run/gpm.pid
|
|
Nikola Pajkovsky |
8ea10cc |
|
|
|
b163339 |
ProtectSystem=full
|
|
|
b163339 |
ProtectHome=yes
|
|
|
b163339 |
ProtectProc=invisible
|
|
|
b163339 |
ProtectControlGroups=yes
|
|
|
b163339 |
ProtectKernelTunables=yes
|
|
|
b163339 |
PrivateNetwork=yes
|
|
|
b163339 |
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SYS_ADMIN
|
|
|
b163339 |
DeviceAllow=char-tty
|
|
|
b163339 |
DeviceAllow=char-input
|
|
|
eb00aaa |
# See also https://github.com/systemd/systemd/pull/21350
|
|
|
eb00aaa |
SystemCallFilter=@basic-io @io-event @network-io @file-system @process @signal ioctl mprotect setsid
|
|
|
b163339 |
SystemCallArchitectures=native
|
|
|
b163339 |
SystemCallErrorNumber=EPERM
|
|
|
b163339 |
RestrictAddressFamilies=AF_UNIX
|
|
|
b163339 |
|
|
|
b163339 |
# Note that "special commands" are disallowed by default.
|
|
|
b163339 |
# To enable, add '-S' to ExecStart= line, and tweak the SystemCallFilter= as appropriate.
|
|
|
b163339 |
|
|
Nikola Pajkovsky |
8ea10cc |
[Install]
|
|
Nikola Pajkovsky |
8ea10cc |
WantedBy=multi-user.target
|