Use a systemd sandbox for the gpm service

The sandbox is designed to allow standard select&paste operation on
the text console. More fancy uses of gpm are unlikely to work, but
that's on purpose: the only thing that people should be using gpm for
is the occasional text copying when they land in rescue mode.

This serves as an alternative to [1]. The replacement policy is probably
stricter in some regards, while less strict in others… But I think it's
much less magic and should be easier to maintain.

[1] https://src.fedoraproject.org/rpms/gpm/pull-request/4

changelog

@@ -1,3 +1,7 @@
+* Wed Sep 08 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 1.20.7-38
+- A systemd sandbox has been added for the service. The goal is to allow standard
+  select-and-paste operations to work on the console, and not much else.
+
 * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.20.7-28
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
 
@@ -653,3 +657,4 @@
 
 * Thu Jun 19 1997 Erik Troan <ewt@redhat.com>
 - built against glibc
+

gpm.service

@@ -1,5 +1,5 @@
 [Unit]
-Description=Console Mouse manager
+Description=Console Mouse Manager
 ConditionVirtualization=!container
 
 # This could probably benefit from socket activation, but honestly I think it
@@ -7,9 +7,26 @@ ConditionVirtualization=!container
 # to add socket activation here.
 
 [Service]
-ExecStart=/usr/sbin/gpm -m /dev/input/mice -t exps2
+ExecStart=gpm -m /dev/input/mice -t exps2
 Type=forking
 PIDFile=/run/gpm.pid
 
+ProtectSystem=full
+ProtectHome=yes
+ProtectProc=invisible
+ProtectControlGroups=yes
+ProtectKernelTunables=yes
+PrivateNetwork=yes
+CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SYS_ADMIN
+DeviceAllow=char-tty
+DeviceAllow=char-input
+SystemCallFilter=@basic-io @io-event @network-io @file-system @process ioctl
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+RestrictAddressFamilies=AF_UNIX
+
+# Note that "special commands" are disallowed by default.
+# To enable, add '-S' to ExecStart= line, and tweak the SystemCallFilter= as appropriate.
+
 [Install]
 WantedBy=multi-user.target

gpm.spec

@@ -27,20 +27,19 @@ Patch7: gpm-1.20.7-rhbz-668480-gpm-types-7-manpage-fixes.patch
 # Disabled, need to be reviewed
 Patch9: gpm-1.20.6-capability.patch
 
-Requires(post): systemd info
+Requires(post): info
-Requires(preun): systemd info
+Requires(preun): info
-Requires(postun): systemd
 # this defines the library version that this package builds.
 %define LIBVER 2.1.0
 BuildRequires: sed gawk texinfo bison ncurses-devel autoconf automake libtool libcap-ng-devel
-BuildRequires: systemd
+BuildRequires: systemd-rpm-macros
 BuildRequires: make
 Requires: linuxconsoletools
 Requires: %{name}-libs = %{version}-%{release}
 
 %description
 Gpm provides mouse support to text-based Linux applications like the
-Emacs editor and the Midnight Commander file management system.  Gpm
+Emacs editor and the Midnight Commander file management system. Gpm
 also provides console cut-and-paste operations using the mouse and
 includes a program to allow pop-up menus to appear at the click of a
 mouse button.