diff --git a/harden_pulseaudio.service.patch b/harden_pulseaudio.service.patch
new file mode 100644
index 0000000..4683b58
--- /dev/null
+++ b/harden_pulseaudio.service.patch
@@ -0,0 +1,24 @@
+Index: pulseaudio-15.0/src/daemon/systemd/user/pulseaudio.service.in
+===================================================================
+--- pulseaudio-15.0.orig/src/daemon/systemd/user/pulseaudio.service.in
++++ pulseaudio-15.0/src/daemon/systemd/user/pulseaudio.service.in
+@@ -23,6 +23,19 @@ MemoryDenyWriteExecute=yes
+ NoNewPrivileges=yes
+ Restart=on-failure
+ RestrictNamespaces=yes
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=read-only
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ SystemCallArchitectures=native
+ SystemCallFilter=@system-service
+ # Note that notify will only work if --daemonize=no
diff --git a/pulseaudio.changes b/pulseaudio.changes
index fba5d43..1ca4f74 100644
--- a/pulseaudio.changes
+++ b/pulseaudio.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Oct 20 14:37:33 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_pulseaudio.service.patch
+  Modified:
+  * pulseaudio.service
+
 -------------------------------------------------------------------
 Fri Oct  8 10:56:52 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
 
diff --git a/pulseaudio.service b/pulseaudio.service
index be0439a..0685f27 100644
--- a/pulseaudio.service
+++ b/pulseaudio.service
@@ -3,6 +3,19 @@ Description=System wide PulseAudio instance
 After=syslog.target network.target alsasound.service
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=read-only
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=simple
 Restart=always
 ExecStart=/usr/bin/pulseaudio --system --log-target=journal
diff --git a/pulseaudio.spec b/pulseaudio.spec
index 4cb0b13..38ced8d 100644
--- a/pulseaudio.spec
+++ b/pulseaudio.spec
@@ -53,6 +53,7 @@ Patch1:         suppress-socket-error-msg.diff
 Patch5:         qpaeq-shebang.patch
 # PATCH-FIX-OPENSUSE Workaround for old systemd on Leap 15.x
 Patch6:         pulseaudio-old-systemd-workaround.patch
+Patch7:	harden_pulseaudio.service.patch
 BuildRequires:  alsa-devel >= 1.0.19
 BuildRequires:  bluez-devel >= 5
 BuildRequires:  fdupes
@@ -334,6 +335,7 @@ System user for PulseAudio
 %if 0%{?suse_version} < 1550
 %patch6 -p1
 %endif
+%patch7 -p1
 
 %build
 %meson \