Add more security flogs to service

REFERENCE.md

@@ -2416,15 +2416,39 @@ Struct[{
     Optional['OOMPolicy']                 => Enum['continue', 'stop','kill'],
     Optional['OOMScoreAdjust']            => Integer[-1000,1000],
     Optional['Environment']               => String,
-    Optional['EnvironmentFile']           => Variant[
-      Stdlib::Unixpath,Pattern[/-\/.+/],
-      Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1],
-    ],
+    Optional['EnvironmentFile']           => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]],
     Optional['StandardOutput']            => Variant[Enum['inherit','null','tty','journal','kmsg','journal+console','kmsg+console','socket'],Pattern[/\A(file:|append:|truncate:).+$\z/]],
     Optional['StandardError']             => Variant[Enum['inherit','null','tty','journal','kmsg','journal+console','kmsg+console','socket'],Pattern[/\A(file:|append:|truncate:).+$\z/]],
     Optional['StandardInput']             => Variant[Enum['null','tty','tty-force','tty-fail','data','socket'], Pattern[/\A(file:|fd:).+$\z/]],
     Optional['PrivateTmp']                => Boolean,
     Optional['RuntimeDirectory']          => String,
+    Optional['RuntimeDirectoryMode']      => Stdlib::Filemode,
+    Optional['LogsDirectory']             => String,
+    Optional['LogsDirectoryMode']         => Stdlib::Filemode,
+    Optional['ProtectSystem']             => Variant[Boolean, Enum['full', 'strict']],
+    Optional['ProtectHome']               => Variant[Boolean, Enum['read-only', 'tmpfs']],
+    Optional['BindPaths']                 => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]],
+    Optional['BindReadOnlyPaths']         => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]],
+    Optional['PrivateDevices']            => Boolean,
+    Optional['RemoveIPC']                 => Boolean,
+    Optional['ProtectKernelModules']      => Boolean,
+    Optional['ProtectKernelTunables']     => Boolean,
+    Optional['ProtectControlGroups']      => Boolean,
+    Optional['RestrictRealtime']          => Boolean,
+    Optional['RestrictAddressFamilies']   => Variant[Enum['AF_UNIX', 'AF_INET', 'AF_INET6', 'AF_NETLINK', 'none'], Array[Enum['AF_UNIX', 'AF_INET', 'AF_INET6', 'AF_NETLINK', 'none']]],
+    Optional['RestrictNamespaces']        => Variant[Boolean, Enum['ipc', 'net', 'mnt', 'pid', 'user', 'uts', 'cgroup'], Array[Enum['ipc', 'net', 'mnt', 'pid', 'user', 'uts', 'cgroup']]],
+    Optional['SystemCallArchitectures']   => Variant[String, Array[String]],
+    Optional['SystemCallFilter']          => Variant[String, Array[String]],
+    Optional['SystemCallErrorNumber']     => String,
+    Optional['ProtectClock']              => Boolean,
+    Optional['PrivateUsers']              => Boolean,
+    Optional['ProtectKernelLogs']         => Boolean,
+    Optional['ProtectProc']               => Enum['noaccess', 'invisible', 'ptraceable', 'default'],
+    Optional['ProtectHostname']           => Boolean,
+    Optional['RestrictSUIDSGID']          => Boolean,
+    Optional['CapabilityBoundingSet']     => Variant[String, Array[String]],
+    Optional['NoNewPrivileges']           => Boolean,
+    Optional['LockPersonality']           => Boolean,
   }]
 ```
 

types/unit/service.pp

@@ -102,5 +102,32 @@
     Optional['StandardInput']             => Variant[Enum['null','tty','tty-force','tty-fail','data','socket'], Pattern[/\A(file:|fd:).+$\z/]],
     Optional['PrivateTmp']                => Boolean,
     Optional['RuntimeDirectory']          => String,
+    Optional['RuntimeDirectoryMode']      => Stdlib::Filemode,
+    Optional['LogsDirectory']             => String,
+    Optional['LogsDirectoryMode']         => Stdlib::Filemode,
+    Optional['ProtectSystem']             => Variant[Boolean, Enum['full', 'strict']],
+    Optional['ProtectHome']               => Variant[Boolean, Enum['read-only', 'tmpfs']],
+    Optional['BindPaths']                 => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]],
+    Optional['BindReadOnlyPaths']         => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]],
+    Optional['PrivateDevices']            => Boolean,
+    Optional['RemoveIPC']                 => Boolean,
+    Optional['ProtectKernelModules']      => Boolean,
+    Optional['ProtectKernelTunables']     => Boolean,
+    Optional['ProtectControlGroups']      => Boolean,
+    Optional['RestrictRealtime']          => Boolean,
+    Optional['RestrictAddressFamilies']   => Variant[Enum['AF_UNIX', 'AF_INET', 'AF_INET6', 'AF_NETLINK', 'none'], Array[Enum['AF_UNIX', 'AF_INET', 'AF_INET6', 'AF_NETLINK', 'none']]],
+    Optional['RestrictNamespaces']        => Variant[Boolean, Enum['ipc', 'net', 'mnt', 'pid', 'user', 'uts', 'cgroup'], Array[Enum['ipc', 'net', 'mnt', 'pid', 'user', 'uts', 'cgroup']]],
+    Optional['SystemCallArchitectures']   => Variant[String, Array[String]],
+    Optional['SystemCallFilter']          => Variant[String, Array[String]],
+    Optional['SystemCallErrorNumber']     => String,
+    Optional['ProtectClock']              => Boolean,
+    Optional['PrivateUsers']              => Boolean,
+    Optional['ProtectKernelLogs']         => Boolean,
+    Optional['ProtectProc']               => Enum['noaccess', 'invisible', 'ptraceable', 'default'],
+    Optional['ProtectHostname']           => Boolean,
+    Optional['RestrictSUIDSGID']          => Boolean,
+    Optional['CapabilityBoundingSet']     => Variant[String, Array[String]],
+    Optional['NoNewPrivileges']           => Boolean,
+    Optional['LockPersonality']           => Boolean,
   }
 ]