From 67fb7da0e04c80797234472f642af5bbe104374a4d82d6bc4c1a2ba9f5a60dfd Mon Sep 17 00:00:00 2001
From: Dirk Mueller <dmueller@suse.com>
Date: Thu, 27 Apr 2023 22:03:15 +0000
Subject: [PATCH] Accepting request 932193 from
 home:jsegitz:branches:systemdhardening:network

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/932193
OBS-URL: https://build.opensuse.org/package/show/network/rpcbind?expand=0&rev=101
---
 harden_rpcbind.service.patch | 24 ++++++++++++++++++++++++
 rpcbind.changes              |  6 ++++++
 rpcbind.spec                 |  1 +
 3 files changed, 31 insertions(+)
 create mode 100644 harden_rpcbind.service.patch

diff --git a/harden_rpcbind.service.patch b/harden_rpcbind.service.patch
new file mode 100644
index 0000000..0f47a8d
--- /dev/null
+++ b/harden_rpcbind.service.patch
@@ -0,0 +1,24 @@
+Index: rpcbind-1.2.6/systemd/rpcbind.service.in
+===================================================================
+--- rpcbind-1.2.6.orig/systemd/rpcbind.service.in
++++ rpcbind-1.2.6/systemd/rpcbind.service.in
+@@ -11,6 +11,19 @@ Wants=rpcbind.target
+ After=sysinit.target
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Type=notify
+ # distro can provide a drop-in adding EnvironmentFile=-/??? if needed.
+ EnvironmentFile=-/etc/sysconfig/rpcbind
diff --git a/rpcbind.changes b/rpcbind.changes
index ffd8b99..88d7484 100644
--- a/rpcbind.changes
+++ b/rpcbind.changes
@@ -8,6 +8,12 @@ Tue Dec 27 13:16:20 UTC 2022 - Ludwig Nussel <lnussel@suse.com>
 
 - Replace transitional %usrmerged macro with regular version check (boo#1206798)
 
+-------------------------------------------------------------------
+Tue Nov 16 07:39:53 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_rpcbind.service.patch
+
 -------------------------------------------------------------------
 Mon Jun 21 15:44:17 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
 
diff --git a/rpcbind.spec b/rpcbind.spec
index 833c3e3..173939d 100644
--- a/rpcbind.spec
+++ b/rpcbind.spec
@@ -33,6 +33,7 @@ Source2:        sysconfig.rpcbind
 Source5:        rpc-user.conf
 Patch1:         0001-systemd-unit-files.patch
 Patch2:         0001-change-lockingdir-to-run.patch
+Patch3:         harden_rpcbind.service.patch
 BuildRequires:  libtirpc-devel >= 1.0.1
 BuildRequires:  libtool
 BuildRequires:  pkgconfig