GitLab

systemd supports features like ReadOnlyDirectories and dropping capabilities. We should make use of them, to improve the security of the overall system.

One caveat, tough: AFAIK, different versions of systemd support different "droppable" capabilites. If one is using a list of capabilites and only one of them isn't supported, all of them are ignored.

This needs research and further discussion, for now that's just a starting point to keep track of it (and to counter my bad memory..)