Harden services with systemd sandboxing
We can further harden our own systemd services with some options from man systemd.exec
For example:
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
Later systemd will have an option to show hints about it: https://github.com/systemd/systemd/pull/10701
Migrated from https://kanboard.archlinux.org/project/1/task/103