WIP: networkmanager: restrict (using systemd options)

hosts/common/net/networkmanager.nix

@@ -67,6 +67,21 @@ in {
       "CAP_AUDIT_WRITE"  #< allow writing to the audit log
       # "CAP_KILL"
     ];
+    serviceConfig.LockPersonality = true;
+    serviceConfig.PrivateDevices = true;  # remount /dev with just the basics, syscall filter to block @raw-io
+    serviceConfig.PrivateIPC = true;
+    serviceConfig.PrivateUsers = true;  # TODO: might break hooks?
+    serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;  # makes empty: /home, /root, /run/user
+    serviceConfig.ProtectHostname = true;  # probably not upstreamable: prevents changing hostname
+    serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
+    serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls
+    # ProtectKernelTunables = true;  # but NM might need to write /proc/sys/net/...
+    serviceConfig.ProtectSystem = "full";  # makes read-only: /boot, /etc/, /usr. TODO: "strict" would make all but /dev, /proc, /sys inaccessible.
+    # serviceConfig.RestrictAddressFamilies = TODO
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";  # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
     # TODO: it needs these directories:
     # - "/proc/net"
     # - "/proc/sys/net"