The dnsmasq.service systemd unit can be improved by having dnsmasq never run as root, restricting capabilities as much as possible, and limiting file system access. This has been discussed on the forums at https://forums.gentoo.org/viewtopic-p-7907924.html?sid=03b7d4158d14b19351a6c772b87a2fbd
https://github.com/gentoo/gentoo/pull/1798
Created attachment 439234 [details, diff] diff based on c1 PR link
I've posted to the upstream mailing list requesting that upstream distribute a systemd unit and that it have these features: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010656.html
The configuration option AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN is only with systemd-229, or newer. While I agree that some system hardening is a nice feature to introduce I would suggest that we let dnsmasq still handle the suid and sguid bits on its own. This has the advantage that the daemon can actually drop privileges/capabilities once it is done with setup. See #587588
