systemd: unit hardening

This increases the isolation of TheLounge service.

This patch does not set `SystemCallFilter` option as it might break old
Debian-based distributions due to a different naming convention for predefined
call sets.

systemd/system.service

@@ -9,9 +9,27 @@ User=thelounge
 Group=thelounge
 Type=simple
 ExecStart=/usr/bin/thelounge start
+
+# Hardening
+LockPersonality=yes
 ProtectSystem=yes
+ProtectClock=yes
+ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProcSubset=pid
+RemoveIPC=yes
+# cacheable-lookup module requires AF_NETLINK
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
 NoNewPrivileges=yes
+PrivateDevices=yes
 PrivateTmp=yes
 
 [Install]