From a4fe9c98d74447ca96ba59610368486640fdbfd6 Mon Sep 17 00:00:00 2001
From: Daniel Wagner <dwagner@suse.de>
Date: Fri, 29 Sep 2023 14:28:16 +0200
Subject: [PATCH] systemd hardening effort

https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

Apply the recommended hardening settings but without
"ProtectKernelTunables=true" as we need write access to /sys.

Signed-off-by: Daniel Wagner <dwagner@suse.de>
---
 nvmf-autoconnect/systemd/nvmf-connect@.service.in | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/nvmf-autoconnect/systemd/nvmf-connect@.service.in b/nvmf-autoconnect/systemd/nvmf-connect@.service.in
index 5ba708..129cb4 100644
--- a/nvmf-autoconnect/systemd/nvmf-connect@.service.in
+++ b/nvmf-autoconnect/systemd/nvmf-connect@.service.in
@@ -11,6 +11,14 @@ PartOf=nvmf-connect.target
 Requires=nvmf-connect.target
 
 [Service]
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
 Type=simple
 Environment="CONNECT_ARGS=%i"
 ExecStart=/bin/sh -c "@SBINDIR@/nvme connect-all --context=autoconnect --quiet `/bin/echo -e '${CONNECT_ARGS}'`"
-- 
2.42.0