networkmanager: harden further with NoNewPrivileges and PrivateTmp

hosts/common/net/networkmanager.nix

@@ -68,8 +68,10 @@ in {
       # "CAP_KILL"
     ];
     serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
     serviceConfig.PrivateDevices = true;  # remount /dev with just the basics, syscall filter to block @raw-io
     serviceConfig.PrivateIPC = true;
+    serviceConfig.PrivateTmp = true;
     # serviceConfig.PrivateUsers = true;  #< BREAKS NetworkManager (presumably, it causes a new user namespace, breaking CAP_NET_ADMIN & others).  "platform-linux: do-change-link[3]: failure 1 (Operation not permitted)"
     serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
     serviceConfig.ProtectControlGroups = true;
@@ -125,8 +127,10 @@ in {
     serviceConfig.User = "networkmanager";  # TODO: should arguably use `DynamicUser`
     serviceConfig.Group = "networkmanager";
     serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
     serviceConfig.PrivateDevices = true;  # remount /dev with just the basics, syscall filter to block @raw-io
     serviceConfig.PrivateIPC = true;
+    serviceConfig.PrivateTmp = true;
     serviceConfig.PrivateUsers = true;
     serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
     serviceConfig.ProtectControlGroups = true;
@@ -152,8 +156,10 @@ in {
       "CAP_NET_RAW"
     ];
     serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
     # serviceConfig.PrivateDevices = true;  # untried, not likely to work. remount /dev with just the basics, syscall filter to block @raw-io
     serviceConfig.PrivateIPC = true;
+    serviceConfig.PrivateTmp = true;
     # serviceConfig.PrivateUsers = true;  #< untried, not likely to work
     serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
     serviceConfig.ProtectControlGroups = true;