wtmpdbd.service: secure more

units/wtmpdbd.service

@@ -7,21 +7,23 @@ Type=notify
 Environment="WTMPDBD_OPTS="
 EnvironmentFile=-/etc/default/wtmpdbd
 ExecStart=/usr/libexec/wtmpdbd -s $WTMPDBD_OPTS
-#DeviceAllow=/dev/vsock r
 IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
+PrivateDevices=yes
 PrivateNetwork=yes
 PrivateTmp=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectProc=invisible
 ProtectSystem=strict
-ReadWritePaths=/etc /run/wtmpdb /var/lib/wtmpdb
+RestrictRealtime=true
+ReadWritePaths=/run/wtmpdb /var/lib/wtmpdb
 RestrictAddressFamilies=AF_UNIX
 RestrictNamespaces=yes
 RestrictRealtime=yes