opa-fm/opa-fm-harden-systemd-service.patch

commit 9ee6db9866c42c00cd1f15c0a1f68f5d1a6c933d
Author: Nicolas Morey-Chaisemartin <nmoreychaisemartin@suse.com>
Date:   Tue Nov 2 16:20:47 2021 +0100

    opa-fm: harden systemd service
    
    Fixes: bsc#1181400
    Signed-off-by: Nicolas Morey-Chaisemartin <nmoreychaisemartin@suse.com>

diff --git Esm/ib/src/linux/startup/opafm.service Esm/ib/src/linux/startup/opafm.service
index d4c40b0675e1..3bf5568f9ebf 100755
--- Esm/ib/src/linux/startup/opafm.service
+++ Esm/ib/src/linux/startup/opafm.service
@@ -34,6 +34,17 @@ Description=OPA Fabric Manager
 After=rdma.service network.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 User=root
 Type=forking
 ExecStart=/usr/lib/opa-fm/bin/opafmd -D