storage: Add systemd sandboxing features to udiskie service

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>

plinth/modules/storage/data/lib/systemd/system/freedombox-udiskie.service

@@ -21,6 +21,18 @@ Documentation=man:udiskie(1)
 
 [Service]
 ExecStart=/usr/bin/udiskie
+LockPersonality=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=full
+RestrictAddressFamilies=AF_UNIX
+RestrictRealtime=yes
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target