From f7b8fd41b82ef11933f2d2b0e8f54192dfbcfa18 Mon Sep 17 00:00:00 2001
From: nicholasyang <nicholas.yang@suse.com>
Date: Wed, 13 Nov 2024 16:11:10 +0800
Subject: [PATCH] harden services with systemd sandboxing

---
 init/corosync-qdevice.service.in | 10 ++++++++++
 init/corosync-qnetd.service.in   | 13 +++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/init/corosync-qdevice.service.in b/init/corosync-qdevice.service.in
index 5ffb498..824e557 100644
--- a/init/corosync-qdevice.service.in
+++ b/init/corosync-qdevice.service.in
@@ -14,5 +14,15 @@ Restart=on-failure
 RuntimeDirectory=corosync-qdevice
 RuntimeDirectoryMode=0770
 
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+
 [Install]
 WantedBy=multi-user.target
diff --git a/init/corosync-qnetd.service.in b/init/corosync-qnetd.service.in
index a8d6a7e..64da610 100644
--- a/init/corosync-qnetd.service.in
+++ b/init/corosync-qnetd.service.in
@@ -16,5 +16,18 @@ Restart=on-abnormal
 RuntimeDirectory=corosync-qnetd
 RuntimeDirectoryMode=0770
 
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=strict
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+NoNewPrivileges=true
+
 [Install]
 WantedBy=multi-user.target
-- 
2.47.0