feat(systemd/smartdns.service.in): securing systemd service

systemd/smartdns.service.in

@@ -9,13 +9,45 @@ StartLimitIntervalSec=60
 
 [Service]
 Type=forking
-PIDFile=@RUNSTATEDIR@/smartdns.pid
+DynamicUser=true
+RuntimeDirectory=smartdns
+LogsDirectory=smartdns
+CacheDirectory=smartdns
+PIDFile=/run/smartdns/smartdns.pid
 EnvironmentFile=@SYSCONFDIR@/default/smartdns
-ExecStart=@SBINDIR@/smartdns -p @RUNSTATEDIR@/smartdns.pid $SMART_DNS_OPTS
+LoadCredential=smartdns.conf:@SYSCONFDIR@/smartdns/smartdns.conf
+ExecStart=@SBINDIR@/smartdns -p $PIDFILE -c "${CREDENTIALS_DIRECTORY}/smartdns.conf" $SMART_DNS_OPTS
 Restart=always
 RestartSec=2
 TimeoutStopSec=15
 
+# Capabilities
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_NET_RAW
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_NET_RAW
+
+# Hardening options
+DevicePolicy=closed
+LockPersonality=true
+MemoryAccounting=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+
 [Install]
 WantedBy=multi-user.target
 Alias=smartdns.service