Restrict systemd units as much as possible

[danstiner]

A number of good ideas in: http://0pointer.net/public/systemd-nluug-2014.pdf

Should be as simple as trying each mitigation and see which can be enabled without breaking anything.

Possibly more in the following presentation: http://ftp.nluug.nl/video/nluug/2014-11-20_nj14/zaal-2/5_Lennart_Poettering_-_Systemd.webm

[chrysn]

The system daemon probably doesn't really need to run as root (which the client currently checks for -- needlessly, AFAICT). If the system daemon gets handed an open file descriptor to /dev/uhid, that's about all the privileges it needs (and handing on that FD can probably be done in the systemd unit).