systemd: tight sandboxing

[jdek]

wireproxy needs very little permissions, we can restrict it to basically nothing. DynamicUser means the system will generate a UID on demand for service, also CAP_NET_BIND_SERVICE can be used to allow this user to bind to a port < 1024 if desired. LoadCredential lets us read a file with tight permissions i.e. root:root 0400 and pass it to only wireproxy in an ephemeral and constrained manner.

[pufferffish]

This is interesting, for OpenBSD wireproxy would automatically use pledge and unveil to limit its privileges. I think it would be worth it if we also have something similar for Linux but not just in systemd as well. I believe something similar can be achieved with seccomp but I haven't looked into it.

[villepeh]

Thanks for these improvements! I'm not a pro with systemd units so I'm glad someone took a look