systemd: tight sandboxing (#103)

wireproxy needs very little permissions, we can restrict it to basically
nothing. DynamicUser means the system will generate a UID on demand
for service, also CAP_NET_BIND_SERVICE can be used to allow this user
to bind to a port < 1024 if desired. Also LoadCredential lets us read
a file with tight permissions i.e. root:root 0400 and pass it to only
wireproxy in an ephemeral and constrained manner.

Signed-off-by: J. Dekker <jdek@itanimul.li>

systemd/wireproxy.service

@@ -4,15 +4,43 @@ Wants=network-online.target
 After=network-online.target
 
 [Service]
-#Uncomment and/or change these if you don't want to run Wireproxy as root
-#User=wireproxy
-#Group=wireproxy
+User=wireproxy
+Group=wireproxy
+SyslogIdentifier=wireproxy
 Type=simple
 Restart=on-failure
 RestartSec=30s
-ExecStartPre=/opt/wireproxy/wireproxy -n -c /etc/wireproxy.conf
-ExecStart=/opt/wireproxy/wireproxy -c /etc/wireproxy.conf
-SyslogIdentifier=wireproxy
+
+DynamicUser=yes
+LoadCredential=conf:/etc/wireproxy.conf
+ExecStartPre=/opt/wireproxy/wireproxy -n -c ${CREDENTIALS_DIRECTORY}/conf
+ExecStart=/opt/wireproxy/wireproxy -c ${CREDENTIALS_DIRECTORY}/conf
+
+# Required if <1024 port
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+LimitNPROC=64
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
 
 [Install]
 WantedBy=multi-user.target