cloud-setup: more sandboxing in service file

Note that some of those sandboxing options may require relatively
recent systemd. In that case, to run against older systemd, you
will need to patch the service file. I don't think there is
a way around that, and limiting outselves to only the oldest supported
option is harmful for users who run recent systemd.

See-also: https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening

NEWS

@@ -22,6 +22,7 @@ Overview of changes since NetworkManager-1.44
 * Limit number of exported IP addresses/routes on D-Bus to 100 to reduce
   performance cost. Also, D-Bus updates for addresses/routes are now rate
   limited to 3 per second.
+* cloud-setup: enable more sandboxing options in systemd service file.
 
 =============================================
 NetworkManager-1.44

src/nm-cloud-setup/nm-cloud-setup.service.in

@@ -22,22 +22,30 @@ ExecStart=@libexecdir@/nm-cloud-setup
 #Environment=NM_CLOUD_SETUP_ALIYUN=yes
 
 CapabilityBoundingSet=
+KeyringMode=private
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateTmp=yes
+PrivateUsers=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
 ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
+ProtectProc=invisible
 ProtectSystem=strict
-RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+
+DevicePolicy=closed
+PrivateNetwork=no
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=@system-service
 
 [Install]