rspamd: extend systemd service hardening

Author: thestinger

systemd/system/rspamd.service.d/override.conf

@@ -1,5 +1,27 @@
 [Service]
+CapabilityBoundingSet=
+LockPersonality=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateIPC=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/run/valkey /var/lib/rspamd /var/log/rspamd /var/spool/postfix/rspamd
 Restart=always
 RestartMaxDelaySec=10s
 RestartSec=100ms
 RestartSteps=5
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native