systemd: add sandboxing directives

This sandboxes the service in three ways:

* Remove all capabilities by emptying the capability bounding set and
  setting the no_new_privs bit. irqbalance drops capabilities during
  initialization anyways, and as far as I can tell nothing before that
  step requires capabilities, so we might as well drop them even
  earlier.

* Mount the entire file system except for /proc/irq read-only. /proc/irq
  is the only directory that irqbalance should need to write to
  (assuming that no PID file is configured).

* Disable most communication with the outside world by preventing access
  to address families other than unix(7) (e. g. ip(7), ipv6(7)) and
  hiding sockets in the /run directory from it. (Due to the file system
  restrictions, the daemon cannot allocate new socket files either, but
  the abstract namespace remains accessible for communication with
  irqbalance-ui.)

This is not a complete sandbox, but intended to strike a balance between
security and a readable, not overly long unit file.

Signed-off-by: Lucas Werkmeister <mail@lucaswerkmeister.de>

misc/irqbalance.service

@@ -7,6 +7,12 @@ ConditionVirtualization=!container
 [Service]
 EnvironmentFile=/path/to/irqbalance.env
 ExecStart=/usr/sbin/irqbalance --foreground $IRQBALANCE_ARGS
+CapabilityBoundingSet=
+NoNewPrivileges=yes
+ReadOnlyPaths=/
+ReadWritePaths=/proc/irq
+RestrictAddressFamilies=AF_UNIX
+TemporaryFileSystem=/run:ro
 
 [Install]
 WantedBy=multi-user.target