From b0ba46745c3e498ea51ca0fe45887e053780157ae19d8e37ee2ec8981aabb66e Mon Sep 17 00:00:00 2001
From: Wolfgang Rosenauer <wolfgang@rosenauer.org>
Date: Thu, 21 Oct 2021 17:20:22 +0000
Subject: [PATCH] Accepting request 926720 from
 home:jsegitz:branches:systemdhardening:security:chipcard

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/926720
OBS-URL: https://build.opensuse.org/package/show/security:chipcard/pcsc-lite?expand=0&rev=171
---
 harden_pcscd.service.patch | 22 ++++++++++++++++++++++
 pcsc-lite.changes          |  6 ++++++
 pcsc-lite.spec             |  2 ++
 3 files changed, 30 insertions(+)
 create mode 100644 harden_pcscd.service.patch

diff --git a/harden_pcscd.service.patch b/harden_pcscd.service.patch
new file mode 100644
index 0000000..706ee2b
--- /dev/null
+++ b/harden_pcscd.service.patch
@@ -0,0 +1,22 @@
+Index: pcsc-lite-1.9.4/etc/pcscd.service.in
+===================================================================
+--- pcsc-lite-1.9.4.orig/etc/pcscd.service.in
++++ pcsc-lite-1.9.4/etc/pcscd.service.in
+@@ -4,6 +4,17 @@ Requires=pcscd.socket
+ Documentation=man:pcscd(8)
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Environment="PCSCD_OPTIONS="
+ EnvironmentFile=-/etc/sysconfig/pcscd
+ ExecStart=@sbindir_exp@/pcscd --foreground $PCSCD_OPTIONS
diff --git a/pcsc-lite.changes b/pcsc-lite.changes
index 03ddf60..c0e6e84 100644
--- a/pcsc-lite.changes
+++ b/pcsc-lite.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Oct 18 13:25:25 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_pcscd.service.patch
+
 -------------------------------------------------------------------
 Thu Oct  7 14:36:44 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
 
diff --git a/pcsc-lite.spec b/pcsc-lite.spec
index 4c95279..efab7c7 100644
--- a/pcsc-lite.spec
+++ b/pcsc-lite.spec
@@ -40,6 +40,7 @@ Source6:        pcsc-lite-reader-conf
 Source7:        https://pcsclite.apdu.fr/files/%{name}-%{version}.tar.bz2.asc
 Source8:        %{name}.keyring
 Patch0:         systemd-service.patch
+Patch1:         harden_pcscd.service.patch
 BuildRequires:  gcc
 BuildRequires:  libtool
 BuildRequires:  pkg-config
@@ -109,6 +110,7 @@ compile plugins for the pcsc-lite package.
 %setup -q
 %patch0 -p1
 cp -a %{SOURCE1} %{SOURCE2} %{SOURCE6} .
+%patch1 -p1
 
 %build
 %configure \