Add ProtectSystem and PrivateTmp to systemd service (#1452)

ProtectSystem mounts /boot, /efi and /usr as read only, basically
disallowing the daemon from ever writing there. PrivateTmp sets up a
file system namespace for /tmp and /var/tmp/ basically hiding it from
other processes.

Co-authored-by: Charles Kerr <charles@charleskerr.com>

daemon/transmission-daemon.service

@@ -9,6 +9,8 @@ ExecStart=/usr/bin/transmission-daemon -f --log-error
 ExecReload=/bin/kill -s HUP $MAINPID
 NoNewPrivileges=true
 MemoryDenyWriteExecute=true
+ProtectSystem=true
+PrivateTmp=true
 
 [Install]
 WantedBy=multi-user.target