In my spree to tighten down rights of long running daemons on my system, I came up with the following systemd unit file :
[Unit]
Description=tvheadend
After=network.target
[Service]
User=tvheadend
Group=video
Type=simple
PIDFile=/run/tvheadend/tvheadend.pid
ExecStart=/usr/bin/tvheadend -p /run/tvheadend/tvheadend.pid -C -c /etc/tvheadend
ExecStop=/bin/kill -QUIT $MAINPID
Restart=always
RestartSec=5
# Hardening
PrivateTmp=yes
DeviceAllow=char-DVB
DevicePolicy=closed
ReadWriteDirectories=/mnt/local/record /etc/tvheadend
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes
[Install]
WantedBy=multi-user.target
What this does, is prevent tvheadend from accessing other device nodes than those related to DVB, doesn't allow it to write (almost) anywhere in the system except its config and a folder for recordings. tvheadend also doesn't start as root anymore.
This is tested with current tvheadend git, systemd-229 and linux-4.5, and only dvb.
If you try it, and find issues, please share!
Serafean.
Bonus tip :
If you want tvheadend to bind to ports < 1024, add
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
to the service section (untested).