From ab38be02249e872e1f2a48281e6d5ebdedcf472e109941525f86b00f05e93c45 Mon Sep 17 00:00:00 2001
From: Jean Delvare <jdelvare@suse.com>
Date: Mon, 22 Nov 2021 10:25:30 +0000
Subject: [PATCH] Accepting request 932179 from
 home:jsegitz:branches:systemdhardening:Base:System

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/932179
OBS-URL: https://build.opensuse.org/package/show/Base:System/sensors?expand=0&rev=120
---
 harden_fancontrol.service.patch | 21 +++++++++++++++++++++
 harden_lm_sensors.service.patch | 21 +++++++++++++++++++++
 harden_sensord.service.patch    | 21 +++++++++++++++++++++
 sensors.changes                 |  8 ++++++++
 sensors.spec                    |  6 ++++++
 5 files changed, 77 insertions(+)
 create mode 100644 harden_fancontrol.service.patch
 create mode 100644 harden_lm_sensors.service.patch
 create mode 100644 harden_sensord.service.patch

diff --git a/harden_fancontrol.service.patch b/harden_fancontrol.service.patch
new file mode 100644
index 0000000..acfa05e
--- /dev/null
+++ b/harden_fancontrol.service.patch
@@ -0,0 +1,21 @@
+Index: lm-sensors-3-6-0/prog/init/fancontrol.service
+===================================================================
+--- lm-sensors-3-6-0.orig/prog/init/fancontrol.service
++++ lm-sensors-3-6-0/prog/init/fancontrol.service
+@@ -4,6 +4,16 @@ ConditionFileNotEmpty=/etc/fancontrol
+ After=lm_sensors.service
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Type=simple
+ PIDFile=/run/fancontrol.pid
+ ExecStart=/usr/sbin/fancontrol
diff --git a/harden_lm_sensors.service.patch b/harden_lm_sensors.service.patch
new file mode 100644
index 0000000..0c4005b
--- /dev/null
+++ b/harden_lm_sensors.service.patch
@@ -0,0 +1,21 @@
+Index: lm-sensors-3-6-0/prog/init/lm_sensors.service
+===================================================================
+--- lm-sensors-3-6-0.orig/prog/init/lm_sensors.service
++++ lm-sensors-3-6-0/prog/init/lm_sensors.service
+@@ -2,6 +2,16 @@
+ Description=Initialize hardware monitoring sensors
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ EnvironmentFile=/etc/sysconfig/lm_sensors
+ Type=oneshot
+ RemainAfterExit=yes
diff --git a/harden_sensord.service.patch b/harden_sensord.service.patch
new file mode 100644
index 0000000..4c5f3fa
--- /dev/null
+++ b/harden_sensord.service.patch
@@ -0,0 +1,21 @@
+Index: lm-sensors-3-6-0/prog/init/sensord.service
+===================================================================
+--- lm-sensors-3-6-0.orig/prog/init/sensord.service
++++ lm-sensors-3-6-0/prog/init/sensord.service
+@@ -3,6 +3,16 @@ Description=Log hardware monitoring data
+ After=lm_sensors.service
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ EnvironmentFile=/etc/sysconfig/sensord
+ Type=forking
+ PIDFile=/run/sensord.pid
diff --git a/sensors.changes b/sensors.changes
index a577817..5ef1eb8 100644
--- a/sensors.changes
+++ b/sensors.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Nov 16 15:44:52 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_fancontrol.service.patch
+  * harden_lm_sensors.service.patch
+  * harden_sensord.service.patch
+
 -------------------------------------------------------------------
 Fri Aug 20 09:40:26 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
 
diff --git a/sensors.spec b/sensors.spec
index 9ee3ef5..f32bd92 100644
--- a/sensors.spec
+++ b/sensors.spec
@@ -52,6 +52,9 @@ Patch11:        pwmconfig-raise-fan-threshold.patch
 #PATCH-FIX-UPSTREAM Change PIDFile path from /var/run to /run
 Patch12:        change-pidfile-path-from-var-run-to-run.patch
 Patch13:        var-run-deprecated.patch
+Patch14:        harden_fancontrol.service.patch
+Patch15:        harden_lm_sensors.service.patch
+Patch16:        harden_sensord.service.patch
 BuildRequires:  bison
 BuildRequires:  flex
 BuildRequires:  rrdtool-devel
@@ -124,6 +127,9 @@ sense to the user.
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
 
 %build
 RPM_OPT_FLAGS="%{optflags}"