debian/pcidentd.service: restrict service

These are all (relevant) options I found to restrict this service.

debian/pcidentd.service: restrict service
These are all (relevant) options I found to restrict this service.
2f8ca02c · Simon Ruderich · 7197154d · 2f8ca02c
Commit 2f8ca02c authored Nov 02, 2017 by Simon Ruderich
--- a/debian/pcidentd.service
+++ b/debian/pcidentd.service
@@ -6,9 +6,23 @@ Wants=network.target
 Type=simple
 ExecStart=/usr/bin/pcidentd
 User=pcidentd
+
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io

 [Install]
 WantedBy=multi-user.target