fwupd/harden_fwupd-refresh.service.patch

Index: fwupd-1.9.10/data/motd/fwupd-refresh.service.in
===================================================================
--- fwupd-1.9.10.orig/data/motd/fwupd-refresh.service.in
+++ fwupd-1.9.10/data/motd/fwupd-refresh.service.in
@@ -14,5 +14,13 @@ SystemCallFilter=~@mount
 ProtectKernelModules=yes
 ProtectControlGroups=yes
 RestrictRealtime=yes
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+# end of automatic additions 
 SuccessExitStatus=2
 ExecStart=@bindir@/fwupdmgr refresh
Accepting request 1130755 from home:polslinux:branches:Base:System - Update to version 1.9.10: + This release adds the following features: - Add support for not_hardware requirements - Add support for loongarch64 - Add support for per-release priority attributes - Make USB claim retry count configurable across devices + This release fixes the following bugs: - Compare the HID report value when checking for duplicates - Consider the component priority when installing composite updates - Deploy the CCGX firmware correctly the first time - Do not export the 'main-system-firmware' and 'cpu' GUIDs - Enforce fwupd version requirements client side - Fix Genesys 'failed to get static tool info from device' error - Fix potential 'dereference before null check' in ccmx-dmc - Fix the 'already registered private FuMmDevice flag with value' warning - Fix the 'assertion backend_id != NULL failed' runtime warning - Fix Wacom USB device emulation by recording the composite phases - Generate generic request message text where possible - Hide HTTP passwords in fwupd debugging logs - Let the client know what interaction is expected - Make all critical warnings into backtraces for non-release builds - Never obsolete the wrong HSI attribute - Never show a HSI index that is impossible - Only apply fastboot plugin to modem devices supporting fastboot - Only send interactive requests when the sender is alive - Remove the now-obsolete Synaptics MST cascade device scanning - Replace the Redfish KCS user if required - Restrict mediatek-scaler devices on specific hardware only - Skip any recovery partitions when detecting ESP OBS-URL: https://build.opensuse.org/request/show/1130755 OBS-URL: https://build.opensuse.org/package/show/Base:System/fwupd?expand=0&rev=156 2023-12-04 14:01:59 +01:00			`Index: fwupd-1.9.10/data/motd/fwupd-refresh.service.in`
Accepting request 925357 from home:jsegitz:branches:systemdhardening:Base:System Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/925357 OBS-URL: https://build.opensuse.org/package/show/Base:System/fwupd?expand=0&rev=107 2021-10-18 08:28:00 +02:00			`===================================================================`
Accepting request 1130755 from home:polslinux:branches:Base:System - Update to version 1.9.10: + This release adds the following features: - Add support for not_hardware requirements - Add support for loongarch64 - Add support for per-release priority attributes - Make USB claim retry count configurable across devices + This release fixes the following bugs: - Compare the HID report value when checking for duplicates - Consider the component priority when installing composite updates - Deploy the CCGX firmware correctly the first time - Do not export the 'main-system-firmware' and 'cpu' GUIDs - Enforce fwupd version requirements client side - Fix Genesys 'failed to get static tool info from device' error - Fix potential 'dereference before null check' in ccmx-dmc - Fix the 'already registered private FuMmDevice flag with value' warning - Fix the 'assertion backend_id != NULL failed' runtime warning - Fix Wacom USB device emulation by recording the composite phases - Generate generic request message text where possible - Hide HTTP passwords in fwupd debugging logs - Let the client know what interaction is expected - Make all critical warnings into backtraces for non-release builds - Never obsolete the wrong HSI attribute - Never show a HSI index that is impossible - Only apply fastboot plugin to modem devices supporting fastboot - Only send interactive requests when the sender is alive - Remove the now-obsolete Synaptics MST cascade device scanning - Replace the Redfish KCS user if required - Restrict mediatek-scaler devices on specific hardware only - Skip any recovery partitions when detecting ESP OBS-URL: https://build.opensuse.org/request/show/1130755 OBS-URL: https://build.opensuse.org/package/show/Base:System/fwupd?expand=0&rev=156 2023-12-04 14:01:59 +01:00			`--- fwupd-1.9.10.orig/data/motd/fwupd-refresh.service.in`
			`+++ fwupd-1.9.10/data/motd/fwupd-refresh.service.in`
			`@@ -14,5 +14,13 @@ SystemCallFilter=~@mount`
Accepting request 925357 from home:jsegitz:branches:systemdhardening:Base:System Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/925357 OBS-URL: https://build.opensuse.org/package/show/Base:System/fwupd?expand=0&rev=107 2021-10-18 08:28:00 +02:00			`ProtectKernelModules=yes`
			`ProtectControlGroups=yes`
			`RestrictRealtime=yes`
			`+# added automatically, for details please see`
			`+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort`
			`+ProtectSystem=full`
			`+ProtectHome=true`
			`+ProtectHostname=true`
			`+ProtectKernelTunables=true`
			`+ProtectKernelLogs=true`
			`+# end of automatic additions`
			`SuccessExitStatus=2`
			`ExecStart=@bindir@/fwupdmgr refresh`