corosync-qdevice/0001-harden-services-with-systemd-sandboxing.patch

From f7b8fd41b82ef11933f2d2b0e8f54192dfbcfa18 Mon Sep 17 00:00:00 2001
From: nicholasyang <nicholas.yang@suse.com>
Date: Wed, 13 Nov 2024 16:11:10 +0800
Subject: [PATCH] harden services with systemd sandboxing

---
 init/corosync-qdevice.service.in | 10 ++++++++++
 init/corosync-qnetd.service.in   | 13 +++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/init/corosync-qdevice.service.in b/init/corosync-qdevice.service.in
index 5ffb498..824e557 100644
--- a/init/corosync-qdevice.service.in
+++ b/init/corosync-qdevice.service.in
@@ -14,5 +14,15 @@ Restart=on-failure
 RuntimeDirectory=corosync-qdevice
 RuntimeDirectoryMode=0770
 
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+
 [Install]
 WantedBy=multi-user.target
diff --git a/init/corosync-qnetd.service.in b/init/corosync-qnetd.service.in
index a8d6a7e..64da610 100644
--- a/init/corosync-qnetd.service.in
+++ b/init/corosync-qnetd.service.in
@@ -16,5 +16,18 @@ Restart=on-abnormal
 RuntimeDirectory=corosync-qnetd
 RuntimeDirectoryMode=0770
 
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=strict
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+NoNewPrivileges=true
+
 [Install]
 WantedBy=multi-user.target
-- 
2.47.0
Sync from SUSE:SLFO:Main corosync-qdevice revision 646b7048f17314a09aa88ad1fec2a3d4 2024-12-20 16:03:10 +01:00			`From f7b8fd41b82ef11933f2d2b0e8f54192dfbcfa18 Mon Sep 17 00:00:00 2001`
			`From: nicholasyang <nicholas.yang@suse.com>`
			`Date: Wed, 13 Nov 2024 16:11:10 +0800`
			`Subject: [PATCH] harden services with systemd sandboxing`

			`---`
			`init/corosync-qdevice.service.in \| 10 ++++++++++`
			`init/corosync-qnetd.service.in \| 13 +++++++++++++`
			`2 files changed, 23 insertions(+)`

			`diff --git a/init/corosync-qdevice.service.in b/init/corosync-qdevice.service.in`
			`index 5ffb498..824e557 100644`
			`--- a/init/corosync-qdevice.service.in`
			`+++ b/init/corosync-qdevice.service.in`
			`@@ -14,5 +14,15 @@ Restart=on-failure`
			`RuntimeDirectory=corosync-qdevice`
			`RuntimeDirectoryMode=0770`

			`+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort`
			`+ProtectSystem=full`
			`+ProtectHome=true`
			`+PrivateDevices=true`
			`+ProtectHostname=true`
			`+ProtectClock=true`
			`+ProtectKernelTunables=true`
			`+ProtectKernelModules=true`
			`+ProtectKernelLogs=true`
			`+`
			`[Install]`
			`WantedBy=multi-user.target`
			`diff --git a/init/corosync-qnetd.service.in b/init/corosync-qnetd.service.in`
			`index a8d6a7e..64da610 100644`
			`--- a/init/corosync-qnetd.service.in`
			`+++ b/init/corosync-qnetd.service.in`
			`@@ -16,5 +16,18 @@ Restart=on-abnormal`
			`RuntimeDirectory=corosync-qnetd`
			`RuntimeDirectoryMode=0770`

			`+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort`
			`+ProtectSystem=strict`
			`+ProtectHome=true`
			`+PrivateDevices=true`
			`+ProtectHostname=true`
			`+ProtectClock=true`
			`+ProtectKernelTunables=true`
			`+ProtectKernelModules=true`
			`+ProtectKernelLogs=true`
			`+ProtectControlGroups=true`
			`+RestrictRealtime=true`
			`+NoNewPrivileges=true`
			`+`
			`[Install]`
			`WantedBy=multi-user.target`
			`--`
			`2.47.0`