From a50cc09f164fe3a433887fa756cd1eec4b0f19933d5a4cdc6280f60a6208762b Mon Sep 17 00:00:00 2001
From: Martin Hauke <mardnh@gmx.de>
Date: Tue, 12 Oct 2021 18:56:22 +0000
Subject: [PATCH] Accepting request 924893 from
 home:jsegitz:branches:systemdhardening:network

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/924893
OBS-URL: https://build.opensuse.org/package/show/network/ndppd?expand=0&rev=5
---
 harden_ndppd.service.patch | 23 +++++++++++++++++++++++
 ndppd.changes              |  6 ++++++
 ndppd.spec                 |  2 ++
 3 files changed, 31 insertions(+)
 create mode 100644 harden_ndppd.service.patch

diff --git a/harden_ndppd.service.patch b/harden_ndppd.service.patch
new file mode 100644
index 0000000..dcde400
--- /dev/null
+++ b/harden_ndppd.service.patch
@@ -0,0 +1,23 @@
+Index: ndppd-0.2.5.43/ndppd.service
+===================================================================
+--- ndppd-0.2.5.43.orig/ndppd.service
++++ ndppd-0.2.5.43/ndppd.service
+@@ -3,6 +3,18 @@ Description=NDP Proxy Daemon
+ After=network.target
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ ExecStart=/usr/sbin/ndppd -d -p /var/run/ndppd/ndppd.pid
+ Type=forking
+ PIDFile=/var/run/ndppd/ndppd.pid
diff --git a/ndppd.changes b/ndppd.changes
index e99bcb1..ca6f777 100644
--- a/ndppd.changes
+++ b/ndppd.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Oct 11 07:23:40 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_ndppd.service.patch
+
 -------------------------------------------------------------------
 Tue Dec 18 12:54:41 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
 
diff --git a/ndppd.spec b/ndppd.spec
index 1b50bfb..b83818e 100644
--- a/ndppd.spec
+++ b/ndppd.spec
@@ -27,6 +27,7 @@ URL:            https://github.com/DanielAdolfsson/ndppd
 #Source:         https://github.com/DanielAdolfsson/%%{name}/archive/%%{version}.tar.gz#/%%{name}-%%{version}.tar.gz
 Source:         %{name}-%{version}.tar.xz
 Source1:        ndppd-tmpfiles.conf
+Patch0:	harden_ndppd.service.patch
 BuildRequires:  gcc-c++
 BuildRequires:  pkgconfig
 BuildRequires:  systemd-rpm-macros
@@ -44,6 +45,7 @@ The daemon is partially compliant with (experimental) RFC4389.
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 export CXXFLAGS='%{optflags}'