b163339baf
The sandbox is designed to allow standard select&paste operation on the text console. More fancy uses of gpm are unlikely to work, but that's on purpose: the only thing that people should be using gpm for is the occasional text copying when they land in rescue mode. This serves as an alternative to [1]. The replacement policy is probably stricter in some regards, while less strict in others… But I think it's much less magic and should be easier to maintain. [1] https://src.fedoraproject.org/rpms/gpm/pull-request/4
33 lines
931 B
Desktop File
33 lines
931 B
Desktop File
[Unit]
|
|
Description=Console Mouse Manager
|
|
ConditionVirtualization=!container
|
|
|
|
# This could probably benefit from socket activation, but honestly I think it
|
|
# is time for gpm to go away, and hence I am not planning to spend the time
|
|
# to add socket activation here.
|
|
|
|
[Service]
|
|
ExecStart=gpm -m /dev/input/mice -t exps2
|
|
Type=forking
|
|
PIDFile=/run/gpm.pid
|
|
|
|
ProtectSystem=full
|
|
ProtectHome=yes
|
|
ProtectProc=invisible
|
|
ProtectControlGroups=yes
|
|
ProtectKernelTunables=yes
|
|
PrivateNetwork=yes
|
|
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SYS_ADMIN
|
|
DeviceAllow=char-tty
|
|
DeviceAllow=char-input
|
|
SystemCallFilter=@basic-io @io-event @network-io @file-system @process ioctl
|
|
SystemCallArchitectures=native
|
|
SystemCallErrorNumber=EPERM
|
|
RestrictAddressFamilies=AF_UNIX
|
|
|
|
# Note that "special commands" are disallowed by default.
|
|
# To enable, add '-S' to ExecStart= line, and tweak the SystemCallFilter= as appropriate.
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|