fix(gateway): Harden systemd gateway unit file (#8102)

Tested this with Vultr. No errors or issues reported for either IP or
CIDR resources.

Fixes:
https://firezonehq.slack.com/archives/C06L41XN05T/p1739275605563679?thread_ts=1739267494.554949&cid=C06L41XN05T

scripts/gateway-systemd-install.sh

@@ -36,9 +36,15 @@ Documentation=https://www.firezone.dev/kb
 
 [Service]
 
-# DO NOT EDIT ANY OF THE BELOW BY HAND. USE `systemctl edit firezone-gateway` INSTEAD TO CUSTOMIZE.
+# DO NOT EDIT ANY OF THE BELOW BY HAND. USE "systemctl edit firezone-gateway" INSTEAD TO CUSTOMIZE.
 
 Type=simple
+User=firezone
+Group=firezone
+PermissionsStartOnly=true
+SyslogIdentifier=firezone-gateway
+
+# Environment variables
 Environment="FIREZONE_NAME=$FIREZONE_NAME"
 Environment="FIREZONE_ID=$FIREZONE_ID"
 Environment="FIREZONE_TOKEN=$FIREZONE_TOKEN"
@@ -48,17 +54,66 @@ Environment="RUST_LOG_STYLE=never"
 Environment="LOG_FORMAT=$FIREZONE_LOG_FORMAT"
 Environment="GOOGLE_CLOUD_PROJECT_ID=$FIREZONE_GOOGLE_CLOUD_PROJECT_ID"
 Environment="OTLP_GRPC_ENDPOINT=$FIREZONE_OTLP_GRPC_ENDPOINT"
+
+# ExecStartPre script to download the gateway binary
 ExecStartPre=/usr/local/bin/firezone-gateway-init
-ExecStart=/usr/bin/sudo \
-  --preserve-env=FIREZONE_NAME,FIREZONE_ID,FIREZONE_TOKEN,FIREZONE_API_URL,RUST_LOG,LOG_FORMAT,GOOGLE_CLOUD_PROJECT_ID,OTLP_GRPC_ENDPOINT \
-  -u firezone \
-  -g firezone \
-  /usr/local/bin/firezone-gateway
+
+# ExecStart script
+ExecStart=/usr/local/bin/firezone-gateway
+
+# Restart on failure
 TimeoutStartSec=3s
 TimeoutStopSec=15s
 Restart=always
 RestartSec=7
 
+#####################
+# HARDENING OPTIONS #
+#####################
+
+# Give the service its own private /tmp directory.
+PrivateTmp=true
+
+# Mount the system directories read-only (except those explicitly allowed).
+ProtectSystem=full
+
+# Make users' home directories read-only.
+ProtectHome=read-only
+
+# Disallow gaining new privileges (e.g. via execve() of setuid binaries).
+NoNewPrivileges=true
+
+# Disallow the creation of new namespaces.
+RestrictNamespaces=yes
+
+# Prevent memory from being both writable and executable.
+MemoryDenyWriteExecute=true
+
+# Prevent the service from calling personality(2) to change process execution domain.
+LockPersonality=true
+
+# Restrict the set of allowed address families.
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
+
+# Allow the process to have CAP_NET_ADMIN (needed for network administration)
+# while restricting it to only that capability.
+AmbientCapabilities=CAP_NET_ADMIN
+CapabilityBoundingSet=CAP_NET_ADMIN
+
+# Allow write access only to specific directories needed at runtime.
+ReadWriteDirectories=/var/lib/firezone
+
+# Make some sensitive paths inaccessible.
+InaccessiblePaths=/root /home
+
+# Set resource limits
+LimitNOFILE=4096
+LimitNPROC=512
+LimitCORE=0
+
+# Set a sane system call filter
+SystemCallFilter=@system-service
+
 [Install]
 WantedBy=multi-user.target
 EOF
@@ -91,9 +146,7 @@ else
 fi
 
 # Set proper capabilities and permissions on each start
-chgrp firezone /usr/local/bin/firezone-gateway
-chmod 0750 /usr/local/bin/firezone-gateway
-setcap 'cap_net_admin+eip' /usr/local/bin/firezone-gateway
+chmod 0755 /usr/local/bin/firezone-gateway
 mkdir -p /var/lib/firezone
 chown firezone:firezone /var/lib/firezone
 chmod 0775 /var/lib/firezone