systemd: more paranoid security settings

NEWS

@@ -6,6 +6,7 @@ ver 0.19.20 (not yet released)
 * output
   - winmm: fix 8 bit playback
 * fix gcc 7.0 -Wimplicit-fallthrough
+* systemd: paranoid security settings
 
 ver 0.19.19 (2016/08/23)
 * decoder

systemd/mpd.service.in

@@ -12,6 +12,15 @@ LimitRTTIME=infinity
 # disallow writing to /usr, /bin, /sbin, ...
 ProtectSystem=yes
 
+# more paranoid security settings
+NoNewPrivileges=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+RestrictNamespaces=yes
+
 [Install]
 WantedBy=multi-user.target
 Also=mpd.socket