From ac8bf68b1e90bea0634de0a2c2d5cc3d516fc2127d0cb4a0b7b6ca459bc63a46 Mon Sep 17 00:00:00 2001
From: OBS User buildservice-autocommit <null@suse.de>
Date: Mon, 20 Sep 2021 21:32:23 +0000
Subject: [PATCH] Updating link to change in openSUSE:Factory/elfutils revision
 90.0

OBS-URL: https://build.opensuse.org/package/show/Base:System/elfutils?expand=0&rev=afe93b46a24cd7ec01f36e9d694141c3
---
 elfutils-debuginfod.changes     |  6 ++++++
 elfutils-debuginfod.spec        |  1 +
 harden_debuginfod.service.patch | 24 ++++++++++++++++++++++++
 3 files changed, 31 insertions(+)
 create mode 100644 harden_debuginfod.service.patch

diff --git a/elfutils-debuginfod.changes b/elfutils-debuginfod.changes
index e4bfd4f..8e5addf 100644
--- a/elfutils-debuginfod.changes
+++ b/elfutils-debuginfod.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Sep 14 14:14:57 UTC 2021 - Martin Liška <mliska@suse.cz>
+
+- Add harden_debuginfod.service.patch as
+  Automatic systemd hardening effort by the security team.
+
 -------------------------------------------------------------------
 Thu Aug  5 18:12:21 UTC 2021 - Martin Liška <mliska@suse.cz>
 
diff --git a/elfutils-debuginfod.spec b/elfutils-debuginfod.spec
index 8fa13a1..118220e 100644
--- a/elfutils-debuginfod.spec
+++ b/elfutils-debuginfod.spec
@@ -30,6 +30,7 @@ Source2:        elfutils.changes
 Source3:        elfutils.keyring
 Patch0:         disable-run-readelf-self-test.patch
 Patch1:         tests-Allow-an-extra-pthread_kill-frame-in-backtrace.patch
+Patch2:         harden_debuginfod.service.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison
diff --git a/harden_debuginfod.service.patch b/harden_debuginfod.service.patch
new file mode 100644
index 0000000..68a940d
--- /dev/null
+++ b/harden_debuginfod.service.patch
@@ -0,0 +1,24 @@
+Index: elfutils-0.185/config/debuginfod.service
+===================================================================
+--- elfutils-0.185.orig/config/debuginfod.service
++++ elfutils-0.185/config/debuginfod.service
+@@ -12,6 +12,19 @@ ExecStart=/usr/bin/debuginfod -d /var/ca
+ # Stopping can take a long time if scanning of large archives is in progress
+ TimeoutStopSec=60
+ PrivateTmp=yes
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ 
+ [Install]
+ WantedBy=multi-user.target