Introduce systemd.exec restrictions for better security

etc/systemd/system/mariadb.service.d/custom.conf

@@ -1,2 +1,18 @@
 [Service]
 LimitNOFILE=100000
+ProtectSystem=strict
+PrivateTmp=true
+NoNewPrivileges=true
+ProtectHome=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+LockPersonality=true
+SystemCallArchitectures=native
+BindPaths=/var/log/mysql/
+BindPaths=/var/lib/mysql/
+BindPaths=/var/run/mysqld/
+BindPaths=/run/mysqld/
+InaccessiblePaths=/var/www/