Tip: If you're setting up systemd sandboxing for a libusb-based daemon, you'll need to allow AF_NETLINK sockets (eg. RestrictAddressFamilies=AF_NETLINK) if you want it to work... I'm still trying to figure out a working DeviceAllow string for my CM19A so I can go back to the DevicePolicy=closed and PrivateDevices=yes I was using with my CM17A. #systemd #sandbox #security #usb #linux