Hardening systemd services with sandboxing options
I keep forgetting which systemd sandboxing options are safe defaults for long-running daemons, so this is mostly for me.
Drop these in a .service file unless you have a specific reason not to:
[Service] NoNewPrivileges=yes PrivateTmp=yes PrivateDevices=yes ProtectSystem=strict ProtectHome=yes ProtectKernelTunables=yes ProtectKernelModules=yes ProtectKernelLogs=yes ProtectControlGroups=yes RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes LockPersonality=yes MemoryDenyWriteExecute=yes SystemCallArchitectures=native SystemCallFilter=@system-service SystemCallFilter=~@privileged @resources CapabilityBoundingSet=
If your service needs to write somewhere, use ReadWritePaths=/var/lib/yourservice instead of opening up ProtectSystem.
For a service that just makes outgoing HTTPS calls, the above is enough to make most exploits useless. systemd-analyze security yourservice will give you a score.