[Unit]
Description=shortcutd

[Service]
# restrict permissions as much as possible
ProtectControlGroups=true
ProtectHome=true
ProtectKernelTunables=true
ProtectSystem=strict
RestrictSUIDSGID=true
PrivateNetwork=true
CapabilityBoundingSet=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_UNIX
PrivateUsers=true
PrivateTmp=true
ProtectKernelModules=true
ProtectKernelLogs=true
NoNewPrivileges=true
SystemCallFilter=@system-service
SystemCallFilter=~@resources
MemoryDenyWriteExecute=true
IPAddressDeny=any

ExecStart=/usr/bin/shortcutd

[Install]
WantedBy=multi-user.target