From fbbc35f4c4125279648ad7a17d8094dc2240a391be8a3984d2ff4e529487e790 Mon Sep 17 00:00:00 2001
From: Lee Duncan <lduncan@suse.com>
Date: Fri, 17 Sep 2021 21:16:51 +0000
Subject: [PATCH] Accepting request 918939 from
 home:jsegitz:branches:systemdhardening:network:fcoe

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/918939
OBS-URL: https://build.opensuse.org/package/show/network:fcoe/fcoe-utils?expand=0&rev=50
---
 fcoe-utils.changes        |  6 ++++++
 fcoe-utils.spec           |  2 ++
 harden_fcoe.service.patch | 21 +++++++++++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 harden_fcoe.service.patch

diff --git a/fcoe-utils.changes b/fcoe-utils.changes
index 919d22b..b23eb5c 100644
--- a/fcoe-utils.changes
+++ b/fcoe-utils.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Sep 14 08:23:41 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_fcoe.service.patch
+
 -------------------------------------------------------------------
 Thu Mar 25 17:09:14 UTC 2021 - Lee Duncan <lduncan@suse.com>
 
diff --git a/fcoe-utils.spec b/fcoe-utils.spec
index f52947d..148877e 100644
--- a/fcoe-utils.spec
+++ b/fcoe-utils.spec
@@ -37,6 +37,7 @@ Summary:        FCoE userspace management tools
 License:        GPL-2.0-only
 Group:          System/Daemons
 Source:         %{name}-%{version}.tar.xz
+Patch0:	harden_fcoe.service.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %{?systemd_requires}
 
@@ -47,6 +48,7 @@ connections.
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 autoreconf -vi
diff --git a/harden_fcoe.service.patch b/harden_fcoe.service.patch
new file mode 100644
index 0000000..5c987d6
--- /dev/null
+++ b/harden_fcoe.service.patch
@@ -0,0 +1,21 @@
+Index: fcoe-utils-1.0.34/etc/systemd/fcoe.service
+===================================================================
+--- fcoe-utils-1.0.34.orig/etc/systemd/fcoe.service
++++ fcoe-utils-1.0.34/etc/systemd/fcoe.service
+@@ -3,6 +3,16 @@ Description=Open-FCoE initiator daemon
+ After=syslog.target network.target
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Type=simple
+ EnvironmentFile=/etc/fcoe/config
+ ExecStartPre=/sbin/modprobe -qa $SUPPORTED_DRIVERS