This introduces set of hardening options to systemd's unit to isolate service more.
Applied restrictions are (among other):
- no capabilities, and these cannot be changed (so calling binary with capabilities may cause an issue)
- cannot call SUID/GUID binaries
- restrict view on the OS to minimum
- hide some shared resources (like users or
/tmp) - disallow non-UNIX and non-INET(4/6) sockets
- protect kernel settings and logs
- force native syscalls (so for example on x86-64 there is no way to call x86 syscalls)
- limit executables to Nix store
These shouldn't be too restrictive for most users.