Comment # 7 on bug 1190926 from Reinhard Max

After talking to the systemd maintainers it looks like using
PrivateDevices=true was completely wrong in this case. Its purpose is to
disallow access to all physical devices, so it cannot be used if access to any
physicall device is needed. But DeviceAllow should be good enough to allow the
process to only access the devices it needs.