deluge: Use systemd sandboxing features

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Remove directive for unused logs directory]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>

actions/deluge

@@ -38,6 +38,20 @@ ExecStart=bash -c "/usr/bin/deluge-web --base=deluge $(/usr/bin/deluge-web --ver
 Restart=on-failure
 User=debian-deluged
 Group=debian-deluged
+LockPersonality=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictRealtime=yes
+StateDirectory=deluged
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target

plinth/modules/deluge/__init__.py

@@ -30,7 +30,7 @@ from plinth.modules.users import register_group
 
 from .manifest import backup, clients  # noqa, pylint: disable=unused-import
 
-version = 3
+version = 4
 
 managed_services = ['deluge-web']