From 6320ca0e61e908e7bc25864e35c7e3140d5333e5e3e1d3767e16f6531743d906 Mon Sep 17 00:00:00 2001
From: Martin Hauke <mardnh@gmx.de>
Date: Thu, 16 Sep 2021 16:10:01 +0000
Subject: [PATCH] Accepting request 919471 from
 home:jsegitz:branches:systemdhardening:network

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/919471
OBS-URL: https://build.opensuse.org/package/show/network/fwknop?expand=0&rev=5
---
 fwknop.changes  |  6 ++++++
 fwknopd.service | 12 ++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/fwknop.changes b/fwknop.changes
index 5539c9b..285889d 100644
--- a/fwknop.changes
+++ b/fwknop.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Sep 16 07:15:08 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * fwknopd.service
+
 -------------------------------------------------------------------
 Sun Jun  7 20:08:47 UTC 2020 - Martin Hauke <mardnh@gmx.de>
 
diff --git a/fwknopd.service b/fwknopd.service
index 46e2851..63c17b4 100644
--- a/fwknopd.service
+++ b/fwknopd.service
@@ -3,6 +3,18 @@ Description=Firewall Knock Operator Daemon
 After=network.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 PIDFile=/var/run/fwknopd.pid
 ExecStart=/usr/sbin/fwknopd