Hardening systemd unit

systemd/meson.build

@@ -13,7 +13,6 @@ if dir_systemd == ''
 endif
 
 systemd_conf = configuration_data()
-systemd_conf.set('sysconfdir', dir_sysconf)
 systemd_conf.set('sbindir', dir_sbin)
 
 configure_file(input: 'tinc.service.in',

systemd/tinc.service.in

@@ -14,7 +14,7 @@ Type=oneshot
 RemainAfterExit=yes
 ExecStart=/bin/true
 ExecReload=/bin/true
-WorkingDirectory=@sysconfdir@/tinc
+WorkingDirectory=%E/tinc
 
 [Install]
 WantedBy=multi-user.target

systemd/tinc@.service.in

@@ -7,9 +7,39 @@ PartOf=tinc.service
 ReloadPropagatedFrom=tinc.service
 
 [Service]
+RemoveIPC=true
+NoNewPrivileges=true
+ReadWritePaths=%L/tinc/ %t/tinc/
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap
+MemoryDenyWriteExecute=true
+RestrictSUIDSGID=true
+LockPersonality=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictRealtime=true
+RestrictNamespaces=true
+ProtectSystem=strict
+ProtectHome=true
+ProtectClock=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectProc=ptraceable
+ProcSubset=pid
+PrivateTmp=true
+PrivateMounts=true
+DeviceAllow=/dev/net/tun rwm
+DeviceAllow=/dev/net/tap rwm
+
 Type=notify
-WorkingDirectory=@sysconfdir@/tinc/%i
-ExecStart=@sbindir@/tincd -n %i -D
+WorkingDirectory=%E/tinc/%i
+RuntimeDirectory=tinc
+LogsDirectory=tinc
+ExecStart=@sbindir@/tincd -n %i --pidfile=%t/tinc/%i.pid --logfile=%L/tinc/%i.log -D
 ExecReload=@sbindir@/tinc -n %i reload
 KillMode=mixed
 Restart=on-failure