Further harden custom systemd unit files
Originally created by @intrigeri on #12080 (Redmine)
Here are a few directives we should apply to all our custom unit files, whenever it doesn’t break stuff:
- RestrictAddressFamilies
- ProtectKernelTunables
- ProtectControlGroups
- ProtectKernelModules
- MemoryDenyWriteExecute
- RestrictRealtime
Reference: https://lwn.net/Articles/709755/