Merge bitcoin/bitcoin#28340: security: restrict abis in bitcoind.service

0244416aacbad03e4ebe8f2c95c7861a318916ea security: restrict abis in bitcoind.service (Charlie)

Pull request description:

  [As noted here](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#MemoryDenyWriteExecute=), it's a good idea to pair `MemoryDenyWriteExecute=true` with `SystemCallArchitectures=native` because `MemoryDenyWriteExecute` can be circumvented in some operating systems which support multiple ABIs like x86/x86-64.
  This helps restrict the possible application binary interfaces (ABIs) that can be used when running bitcoind through systemd, reducing the attack surface area.

ACKs for top commit:
  laanwj:
    ACK 0244416aacbad03e4ebe8f2c95c7861a318916ea . This is a sensible security feature.
  0xB10C:
    ACK 0244416aacbad03e4ebe8f2c95c7861a318916ea

Tree-SHA512: 77a35b0674d8d67d857cd20ae1b8cd011f82d6f5ed21bc106cbe45bfa937e786ddc1bf7261e3bdb8c289df1224e91658760905d2c8f37cc4c6506ef8037ad158

1 files changed, 3 insertions, 0 deletions

diff --git a/contrib/init/bitcoind.service b/contrib/init/bitcoind.service
index 87da17f955..ade8a05926 100644
--- a/contrib/init/bitcoind.service
+++ b/contrib/init/bitcoind.service
@@ -81,5 +81,8 @@ PrivateDevices=true
 # Deny the creation of writable and executable memory mappings.
 MemoryDenyWriteExecute=true
 
+# Restrict ABIs to help ensure MemoryDenyWriteExecute is enforced
+SystemCallArchitectures=native
+
 [Install]
 WantedBy=multi-user.target