Hardened udptunnel service

packer/rootfs/etc/systemd/system/udptunnel.service

@@ -9,22 +9,42 @@ Restart=always
 ExecStart=/usr/local/bin/udptunnel --server --verbose 127.0.0.1:51820
 StandardOutput=journal
 StandardError=journal
+UMask=0077
 DynamicUser=yes
-NoNewPrivileges=yes
-PrivateTmp=yes
-PrivateDevices=yes
 ProtectSystem=strict
 ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateUsers=yes
+ProtectHostname=yes
+ProtectClock=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
+ProtectKernelLogs=yes
 ProtectControlGroups=yes
+ProtectProc=invisible
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RemoveIPC=yes
+SystemCallFilter=~@clock
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@privileged
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@resources
+SystemCallFilter=~@swap
 SystemCallArchitectures=native
+CapabilityBoundingSet=
+DevicePolicy=closed
+ProcSubset=pid
+NoNewPrivileges=yes
 
 [Install]
 WantedBy=multi-user.target