This sandboxes the service in three ways:
* Remove all capabilities by emptying the capability bounding set and
setting the no_new_privs bit. irqbalance drops capabilities during
initialization anyways, and as far as I can tell nothing before that
step requires capabilities, so we might as well drop them even
earlier.
* Mount the entire file system except for /proc/irq read-only. /proc/irq
is the only directory that irqbalance should need to write to
(assuming that no PID file is configured).
* Disable most communication with the outside world by preventing access
to address families other than unix(7) (e. g. ip(7), ipv6(7)) and
hiding sockets in the /run directory from it. (Due to the file system
restrictions, the daemon cannot allocate new socket files either, but
the abstract namespace remains accessible for communication with
irqbalance-ui.)
This is not a complete sandbox, but intended to strike a balance between
security and a readable, not overly long unit file.
Signed-off-by: Lucas Werkmeister <mail@lucaswerkmeister.de>
5deac3d0ac