[Unit]
Description=Notification hub
PartOf=graphical-session.target

[Service]
Type=dbus
BusName=org.freedesktop.Notifications
ExecStart=/usr/bin/notification-hub

LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
SystemCallFilter=@system-service
InaccessiblePaths=/home
PrivateTmp=yes