[Unit]
Description=EvType

[Service]
# restrict permissions as much as possible
CapabilityBoundingSet=true
DeviceAllow=/dev/uinput
DeviceAllow=/dev/stdout
DevicePolicy=strict
IPAddressDeny=any
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateNetwork=true
PrivateTmp=true
PrivateUsers=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
RuntimeDirectory=evtype
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@resources
SystemCallFilter=~@privileged
UMask=0077
User=root

ExecStart=/usr/bin/evtype_daemon

[Install]
WantedBy=multi-user.target