From 1ff1676d6742bdeb12a788e09a047b962bc66cc96e825465d1db6d63bad31671 Mon Sep 17 00:00:00 2001
From: Martin Hauke <mardnh@gmx.de>
Date: Mon, 27 Sep 2021 18:40:19 +0000
Subject: [PATCH] Accepting request 919470 from
 home:jsegitz:branches:systemdhardening:network

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/919470
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=32
---
 frr.changes              |  6 ++++++
 frr.spec                 |  2 ++
 harden_frr.service.patch | 21 +++++++++++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 harden_frr.service.patch

diff --git a/frr.changes b/frr.changes
index c2bb64b..5b9ef65 100644
--- a/frr.changes
+++ b/frr.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Sep 16 07:12:55 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_frr.service.patch
+
 -------------------------------------------------------------------
 Fri Apr 23 03:05:06 UTC 2021 - Marius Tomaschewski <mt@suse.com>
 
diff --git a/frr.spec b/frr.spec
index 037b401..438415c 100644
--- a/frr.spec
+++ b/frr.spec
@@ -42,6 +42,7 @@ URL:            https://www.frrouting.org
 Source:         https://github.com/FRRouting/frr/archive/%{name}-%{version}.tar.gz
 Source1:        %{name}-tmpfiles.d
 Patch1:         0001-disable-zmq-test.patch
+Patch2:	harden_frr.service.patch
 BuildRequires:  %{python_module Sphinx}
 BuildRequires:  %{python_module devel}
 BuildRequires:  %{python_module pytest}
@@ -182,6 +183,7 @@ developing OSPF-API and frr applications.
 %prep
 %setup -q -n %{name}-%{name}-%{version}
 %patch1 -p1
+%patch2 -p1
 
 %build
 # GCC LTO objects must be "fat" to avoid assembly errors
diff --git a/harden_frr.service.patch b/harden_frr.service.patch
new file mode 100644
index 0000000..05bbc94
--- /dev/null
+++ b/harden_frr.service.patch
@@ -0,0 +1,21 @@
+Index: frr-frr-7.5.1/tools/frr.service
+===================================================================
+--- frr-frr-7.5.1.orig/tools/frr.service
++++ frr-frr-7.5.1/tools/frr.service
+@@ -7,6 +7,16 @@ Before=network.target
+ OnFailure=heartbeat-failed@%n.service
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectClock=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Nice=-5
+ Type=forking
+ NotifyAccess=all