Harden the shipped systemd service

[jeet-dekivadia]

Summary

• empty the service capability bounding set and isolate kernel-facing interfaces that NSS modules should not need
• restrict namespace, realtime, personality, and alternate-ABI use while preserving host configuration, network access, and helper-daemon communication
• deny clock, raw-I/O, reboot, and swap syscall groups without changing service identity, filesystem visibility, or socket creation

Fixes #156

Validation

• git diff --check
• reviewed the selected directives against the NSS compatibility constraints discussed in Harden nsncd.service #156

Remote Linux validation

• git diff --check
• systemd-analyze verify nsncd.service

[jeet-dekivadia]

Small follow-up for review context. This is deliberately service-boundary hardening rather than a behavior change: it blocks alternate ABIs, namespace creation, realtime scheduling, high-risk syscall groups, and kernel-facing interfaces while preserving host configuration, network access, helper-daemon communication, service identity, and socket creation.

Validation from preparation: git diff --check; systemd-analyze verify nsncd.service; reviewed the selected directives against the NSS compatibility constraints in #156 and systemd.exec semantics.