From 18f7ea47ba2d5014555959f3a6c7adb2fd6cc50f7047e1fdb43d45210a6fbffd Mon Sep 17 00:00:00 2001
From: Dominique Leuenberger <dimstar@opensuse.org>
Date: Wed, 28 Jul 2021 08:20:17 +0000
Subject: [PATCH] Accepting request 908802 from
 home:jsegitz:branches:systemdhardening:GNOME:Factory

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/908802
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/accountsservice?expand=0&rev=146
---
 accountsservice.changes              |  6 ++++++
 accountsservice.spec                 |  2 ++
 harden_accounts-daemon.service.patch | 21 +++++++++++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 harden_accounts-daemon.service.patch

diff --git a/accountsservice.changes b/accountsservice.changes
index 8f995d7..1abf278 100644
--- a/accountsservice.changes
+++ b/accountsservice.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Jul 27 11:53:56 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s). Added patch(es):
+  * harden_accounts-daemon.service.patch
+
 -------------------------------------------------------------------
 Tue Mar  2 21:05:33 UTC 2021 - Antoine Belvire <antoine.belvire@opensuse.org>
 
diff --git a/accountsservice.spec b/accountsservice.spec
index f4ffed7..c3c7c37 100644
--- a/accountsservice.spec
+++ b/accountsservice.spec
@@ -40,6 +40,7 @@ Patch4:         accountsservice-fix-gdm-crash.patch
 ## SLE and Leap only patches start at 1000
 # PATCH-FEATURE-SLE as-fate318433-prevent-same-account-multi-logins.patch fate#318433 cxiong@suse.com -- prevent multiple simultaneous login.
 Patch1000:      as-fate318433-prevent-same-account-multi-logins.patch
+Patch1001:      harden_accounts-daemon.service.patch
 
 BuildRequires:  gtk-doc
 BuildRequires:  meson
@@ -103,6 +104,7 @@ querying and manipulating user account information.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch1001 -p1
 
 # SLE and Leap patches start at 1000
 %if 0%{?sle_version}
diff --git a/harden_accounts-daemon.service.patch b/harden_accounts-daemon.service.patch
new file mode 100644
index 0000000..ee5a67e
--- /dev/null
+++ b/harden_accounts-daemon.service.patch
@@ -0,0 +1,21 @@
+Index: accountsservice-0.6.55/data/accounts-daemon.service.in
+===================================================================
+--- accountsservice-0.6.55.orig/data/accounts-daemon.service.in
++++ accountsservice-0.6.55/data/accounts-daemon.service.in
+@@ -8,6 +8,16 @@ After=nss-user-lookup.target
+ Wants=nss-user-lookup.target
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
+ Type=dbus
+ BusName=org.freedesktop.Accounts
+ ExecStart=@libexecdir@/accounts-daemon