From 1c879f805a16d04758b9aad410ba900dbb030a6f015b8fcb1f4cb781ee04ebc6 Mon Sep 17 00:00:00 2001
From: Malcolm Lewis <malcolmlewis@linuxmail.org>
Date: Thu, 30 Sep 2021 12:36:53 +0000
Subject: [PATCH] Accepting request 921085 from
 home:jsegitz:branches:systemdhardening:network:utilities

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/921085
OBS-URL: https://build.opensuse.org/package/show/network:utilities/iodine?expand=0&rev=21
---
 iodine.changes  |  7 +++++++
 iodine.service  | 13 +++++++++++++
 iodined.service | 13 +++++++++++++
 3 files changed, 33 insertions(+)

diff --git a/iodine.changes b/iodine.changes
index f2e8b97..de77d68 100644
--- a/iodine.changes
+++ b/iodine.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Sep 22 14:45:53 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * iodine.service
+  * iodined.service
+
 -------------------------------------------------------------------
 Sun Jun 13 13:35:10 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
 
diff --git a/iodine.service b/iodine.service
index 3506867..ec03160 100644
--- a/iodine.service
+++ b/iodine.service
@@ -8,6 +8,19 @@ Description=iodine lets you tunnel IPv4 data through a DNS server
 After=network.target syslog.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=simple
 EnvironmentFile=-/etc/sysconfig/iodine
 Environment=TERM=linux
diff --git a/iodined.service b/iodined.service
index c46827a..fbc5da8 100644
--- a/iodined.service
+++ b/iodined.service
@@ -8,6 +8,19 @@ Description=iodined lets you tunnel IPv4 data through a DNS server
 After=network.target syslog.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=simple
 EnvironmentFile=-/etc/sysconfig/iodined
 Environment=TERM=linux