bluealsa.service.in

[Unit]
Description=BlueALSA service
Documentation=man:bluealsa(8)
Requisite=dbus.service
After=bluetooth.service

# In order to customize BlueALSA D-Bus service one should create an override
# for this systemd unit file. Please note, that in the override file one will
# have to explicitly clear the ExecStart before setting it again. See the
# bluez-alsa wiki for more options.
#
# $ sudo systemctl edit bluealsa
# [Service]
# ExecStart=
# ExecStart=@bindir@/bluealsa -S --keep-alive=5 -p a2dp-sink

# When using low latency audio profile like HSP/HFP, it is recommended to set
# real-time scheduling priority for IO threads with the --io-rt-priority=NUM
# option. However, in order to allow BlueALSA to modify scheduling priority,
# one has to relax sandboxing rules.
#
# $ sudo systemctl edit bluealsa
# [Service]
# AmbientCapabilities=CAP_SYS_NICE
# CapabilityBoundingSet=CAP_SYS_NICE
# RestrictRealtime=false
# SystemCallFilter=@resources

[Service]
Type=dbus
BusName=org.bluealsa
User=@bluealsauser@
ExecStart=@bindir@/bluealsa @systemdbluealsaargs@
Restart=on-failure

# Sandboxing
AmbientCapabilities=CAP_NET_RAW
CapabilityBoundingSet=CAP_NET_RAW
IPAddressDeny=any
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
PrivateUsers=false
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
RestrictAddressFamilies=AF_UNIX AF_BLUETOOTH
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
SystemCallFilter=~@resources @privileged
UMask=0077

# Setup state directory for persistent storage
ReadWritePaths=/var/lib/bluealsa
StateDirectory=bluealsa

[Install]
WantedBy=bluetooth.target