Harden systemd service (#6391)

This commit includes strict, but still compatible, service hardening for
transmission-daemon.service. The main goal is a defense-in-depth
strategy that protects users from unknown vulnerabilities in
transmission.

In practice, transmission does not use any of the features that are
blocked in this hardening. However, this is still a network facing
daemon that, by design, accepts connections from unknown peers. So
better safe than sorry.

This commit also installs the service via CMake

Co-authored-by: LaserEyess <LaserEyess@users.noreply.github.com>

daemon/CMakeLists.txt

@@ -52,4 +52,10 @@ foreach(P daemon)
             FILES ${TR_NAME}-${P}.1
             DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
     endif()
+
+    if (WITH_SYSTEMD)
+        install(
+            FILES ${TR_NAME}-${P}.service
+            DESTINATION ${CMAKE_INSTALL_LIBDIR}/systemd/system)
+    endif()
 endforeach()

daemon/transmission-daemon.service

@@ -8,10 +8,31 @@ User=transmission
 Type=notify
 ExecStart=/usr/bin/transmission-daemon -f --log-level=error
 ExecReload=/bin/kill -s HUP $MAINPID
+
+# Hardening
+CapabilityBoundingSet=
+DevicePolicy=closed
+KeyringMode=private
+LockPersonality=true
 NoNewPrivileges=true
 MemoryDenyWriteExecute=true
-ProtectSystem=true
 PrivateTmp=true
+PrivateDevices=true
+ProtectClock=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectSystem=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictRealtime=true
+SystemCallFilter=@system-service
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
 
 [Install]
 WantedBy=multi-user.target