add new options for systemd

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>

SOURCES/icingadb-redis.service

@@ -12,6 +12,42 @@ User=icingadb-redis
 Group=icingadb-redis
 RuntimeDirectory=icingadb-redis
 RuntimeDirectoryMode=0755
+UMask=007
+CapabilityBoundingSet=
+LimitNOFILE=65535
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+RemoveIPC=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~ @privileged @resources
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectSystem=strict
+NoExecPaths=/
+ExecPaths=/usr/bin/icingadb-redis-server /usr/lib /lib
+ExecPaths=-/usr/lib64
+ExecPaths=-/lib64
+ReadOnlyPaths=/
+ReadWritePaths=-/var/lib/icingadb-redis
+ReadWritePaths=-/var/log/icingadb-redis
+ReadWritePaths=-/var/run/icingadb-redis
+
 
 [Install]
 WantedBy=multi-user.target