[Unit]
Description=POST codes display clock

[Service]
ExecStart=/usr/bin/post-clock
Nice=10

# User and capabilities
DynamicUser=true
CapabilityBoundingSet=CAP_SYS_RAWIO
AmbientCapabilities=CAP_SYS_RAWIO

# Security
NoNewPrivileges=true
SecureBits=keep-caps keep-caps-locked
SecureBits=no-setuid-fixup no-setuid-fixup-locked
SecureBits=noroot noroot-locked

# Sandboxing
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
# PrivateDevices=true would remove CAP_SYS_RAWIO. Instead make /dev inaccessible:
InaccessiblePaths=/dev
PrivateNetwork=true
PrivateIPC=true
# PrivateUsers=true would remove capabilities in the host namespace, which we need.
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=none
# RestrictFileSystems: no universal value to allow access to /etc/localtime.
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
SystemCallFilter=@system-service ioperm
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native

[Install]
WantedBy=default.target