d/service: Use systemd to sandbox eg25-manager

With eg25-manager directly interfacing with the untrusted modem and
potentially (MR !15) including libcurl for HTTP, sandboxing the daemon
significantly reduces the any post-exploit attack surface.

debian/eg25-manager.service

@@ -6,6 +6,23 @@ Before=ModemManager.service
 Type=simple
 ExecStart=/usr/bin/eg25manager
 Restart=on-failure
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RestrictSUIDSGID=true
+PrivateTmp=true
+ProtectedKernelModules=true
+MemoryDenyWriteExecute=true
+PrivateMounts=true
+NoNewPrivileges=true
+CapabilityBoundingSet=
+ProtectProc=true
+ProtectDevices=true
+DeviceAllow=/dev/ttyS2
+LockPersonality=true
+ProtectClock=true
+ProtectKernelLog=true
 
 [Install]
 WantedBy=multi-user.target