From 02666d7b728369758af260f96f10c589726a7b4cc8dee999c6e79b6a68f605fa Mon Sep 17 00:00:00 2001
From: Stanislav Brabec <sbrabec@suse.com>
Date: Thu, 11 Nov 2021 04:32:20 +0000
Subject: [PATCH] Accepting request 926704 from
 home:jsegitz:branches:systemdhardening:hardware

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/926704
OBS-URL: https://build.opensuse.org/package/show/hardware/powerman?expand=0&rev=43
---
 harden_powerman.service.patch | 22 ++++++++++++++++++++++
 powerman.changes              |  6 ++++++
 powerman.spec                 |  2 ++
 3 files changed, 30 insertions(+)
 create mode 100644 harden_powerman.service.patch

diff --git a/harden_powerman.service.patch b/harden_powerman.service.patch
new file mode 100644
index 0000000..7e729a1
--- /dev/null
+++ b/harden_powerman.service.patch
@@ -0,0 +1,22 @@
+Index: powerman-2.3.26/scripts/powerman.service.in
+===================================================================
+--- powerman-2.3.26.orig/scripts/powerman.service.in
++++ powerman-2.3.26/scripts/powerman.service.in
+@@ -5,6 +5,17 @@ After=syslog.target network.target
+ [Service]
+ Type=forking
+ PrivateTmp=yes
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ User=@RUN_AS_USER@
+ Group=@RUN_AS_GROUP@
+ ExecStart=/usr/sbin/powermand
diff --git a/powerman.changes b/powerman.changes
index 233befb..9fd3ca3 100644
--- a/powerman.changes
+++ b/powerman.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Oct 19 13:06:07 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_powerman.service.patch
+
 -------------------------------------------------------------------
 Thu May 13 07:54:21 UTC 2021 - pgajdos@suse.com
 
diff --git a/powerman.spec b/powerman.spec
index 61d8704..514da95 100644
--- a/powerman.spec
+++ b/powerman.spec
@@ -39,6 +39,7 @@ URL:            https://github.com/chaos/powerman
 Source0:        https://github.com/chaos/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
 Patch1:         service-dynamic-user-autofiles.patch
 Patch2:         service-dynamic-user-configure.patch
+Patch3:         harden_powerman.service.patch
 BuildRequires:  automake
 BuildRequires:  fdupes
 BuildRequires:  ncurses-devel
@@ -80,6 +81,7 @@ Header files, pkg-config file and man pages for developing applications using Po
 %setup -q
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %build
 %configure \