nixos/bind: Make ProtectSystem strict, add missing SystemCallFilters

ReadWritePaths now gets the directory of zone files

nixos/modules/services/networking/bind.nix

@@ -279,7 +279,7 @@ in
         RuntimeDirectoryPreserve = "yes";
         ConfigurationDirectory = "bind";
         ReadWritePaths = [
-          (lib.mapAttrsToList (name: config: "-${config.file}") cfg.zones)
+          (lib.mapAttrsToList (name: config: if (lib.hasPrefix "/" config.file) then ("-${dirOf config.file}") else "") cfg.zones)
           cfg.directory
         ];
         CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
@@ -287,7 +287,7 @@ in
         # Security
         NoNewPrivileges = true;
         # Sandboxing
-        ProtectSystem = "full";
+        ProtectSystem = "strict";
         ReadOnlyPaths = "/sys";
         ProtectHome = true;
         PrivateTmp = true;
@@ -310,7 +310,7 @@ in
         RestrictNamespaces = true;
         # System Call Filtering
         SystemCallArchitectures = "native";
-        SystemCallFilter = "~@mount @debug @clock @reboot acct modify_ldt add_key adjtimex clock_adjtime delete_module fanotify_init finit_module get_mempolicy init_module io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp kexec_load keyctl lookup_dcookie migrate_pages move_pages open_by_handle_at perf_event_open process_vm_readv process_vm_writev ptrace remap_file_pages request_key set_mempolicy swapoff swapon uselib vmsplice";
+        SystemCallFilter = "~@mount @debug @clock @reboot @resources @privileged @obsolete acct modify_ldt add_key adjtimex clock_adjtime delete_module fanotify_init finit_module get_mempolicy init_module io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp kexec_load keyctl lookup_dcookie migrate_pages move_pages open_by_handle_at perf_event_open process_vm_readv process_vm_writev ptrace remap_file_pages request_key set_mempolicy swapoff swapon uselib vmsplice";
       };
 
       unitConfig.Documentation = "man:named(8)";