-* All log messages generated from socket.c, service.c, ... should
- include _SYSTEMD_UNIT= fields so that "systemctl status" can show
- them along with the unit
+* DeviceAllow/DeviceDeny: disallow everything by default, but whitelist /dev/zero, /dev/null and friends