Add more hardening options

templates/systemd/php-fpm@.service

@@ -26,18 +26,29 @@ RestartSec=30s
 
 # Hardening
 # https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in
+LockPersonality=true
+NoNewPrivileges=true
 PrivateDevices=true
 PrivateTmp=true
 ProtectClock=true
 ProtectControlGroups=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
-ProtectSystem=full
+ProtectSystem=strict
 RestrictRealtime=true
 RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 RestrictNamespaces=true
-SystemCallFilter=@system-service
+SystemCallArchitectures=native
 SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
+ReadWritePaths=-/var/log/
+ReadWritePaths=-{{ php_fpm_log_dir }}
+ReadWritePaths=-/var/run/
+ReadWritePaths=-/run/
+InaccessiblePaths=-/root/
+RuntimeDirectory=php
+RuntimeDirectoryPreserve=yes
 
 [Install]
 WantedBy=multi-user.target