Improve security of rest-server.service by restricting network access

This patch improves the overall security assessment score given by
`systemd-analyze security rest-server.service` from "1.3 OK" to "0.6 SAFE"
(when using systemd-analyze version 253)

* Remove `AF_INET AF_INET6` from RestrictAddressFamilies.
  Sockets originating from socket activation are not affected by the
  systemd directive RestrictAddressFamilies.
  See systemd.exec man page.

* Add `PrivateNetwork=yes`
  as recommended for socket-activated services in the systemd.socket man page

* Add dependency on rest-server.socket

Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>

examples/systemd/rest-server.service

@@ -2,9 +2,8 @@
 Description=Rest Server
 After=syslog.target
 After=network.target
-
+Requires=rest-server.socket
-# if you want to use socket activation, make sure to require the socket here
+After=rest-server.socket
-#Requires=rest-server.socket
 
 [Service]
 Type=simple
@@ -37,6 +36,11 @@ CapabilityBoundingSet=
 LockPersonality=true
 MemoryDenyWriteExecute=true
 NoNewPrivileges=yes
+
+# As the listen socket is created by systemd via the rest-server.socket unit, it is
+# no longer necessary for rest-server to have access to the host network namespace.
+PrivateNetwork=yes
+
 PrivateTmp=yes
 PrivateDevices=true
 PrivateUsers=true
@@ -51,7 +55,7 @@ ProtectProc=invisible
 ProtectHostname=true
 RemoveIPC=true
 RestrictNamespaces=true
-RestrictAddressFamilies=AF_INET AF_INET6
+RestrictAddressFamilies=none
 RestrictSUIDSGID=true
 RestrictRealtime=true
 # if your service crashes with "code=killed, status=31/SYS", you probably tried to run linux_i386 (32bit) binary on a amd64 host