daemon: Enable PrivateDevices and related flags in .service files

Enable the following flags for the daemon and mock backends:
 • PrivateDevices=yes
 • ProtectSystem=full
 • ProtectHome=yes
 • PrivateTmp=yes

These mount per-process tmpfs file systems at /home, /root,
/run/user, /tmp, /var/tmp; and bind mount restricted views of /dev
and read-only views of /usr, /boot and /etc.

This should minimise the amount of the system which is exposed to the
daemon or its backends. Access to all of these files is already
restricted by AppArmor, so this acts as an additional line of defence.

See:
 • https://www.freedesktop.org/software/systemd/man/systemd.exec.html
 • https://fedoraproject.org/wiki/Changes/PrivateDevicesAndPrivateNetwork
 • https://lwn.net/Articles/531381/

Note that this requires the (attach_disconnected) flag on the AppArmor
profiles, to instruct AppArmor to resolve paths from outside the
process’ mount namespace to be resolved relative to the host root (/).
This is safe, under the assumption that the bind mounts are used only
for exposing parts of the host file system; but is not safe if we start
rearranging views of the file system through bind mounts in future.

See:
 • https://lists.ubuntu.com/archives/apparmor/2010-July/000110.html
 • https://www.suse.com/documentation/sles-12/book_security/data/\


   sec_apparmor_profiles_glob.html#sec_apparmor_profiles_flags

Without this flag, we get audit errors like the following:
   type=AVC msg=audit(1463572311.066:895): apparmor="DENIED"
   operation="sendmsg" info="Failed name lookup - disconnected path"
   error=-13 profile="/usr/bin/rhosydd" name="run/systemd/notify"
   pid=2485 comm="rhosydd" requested_mask="w" denied_mask="w" fsuid=115
   ouid=0

Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Signed-off-by: Philip Withnall <philip.withnall@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D3197