service: harden the NetworkManager service a bit

Tested with dnsmasq (ipv4.method=shared), openvpn & vpnc.

https://bugzilla.gnome.org/show_bug.cgi?id=750598

diff --git a/data/NetworkManager.service.in b/data/NetworkManager.service.in
index 980573d..42b43e3 100644 (file)
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@@ -11,6 +11,9 @@ ExecStart=@sbindir@/NetworkManager --no-daemon
 Restart=on-failure
 # NM doesn't want systemd to kill its children for it
 KillMode=process
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE
+ProtectSystem=true
+ProtectHome=read-only
 
 [Install]
 WantedBy=multi-user.target