From f793ade1c03e443c81696916b8213b7a97cc8fd58ee2dbe60da6ec8f36ef0926 Mon Sep 17 00:00:00 2001
From: Dirk Mueller <dmueller@suse.com>
Date: Sun, 28 Nov 2021 19:22:08 +0000
Subject: [PATCH] Accepting request 933471 from
 home:jsegitz:branches:systemdhardening:filesystems

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/933471
OBS-URL: https://build.opensuse.org/package/show/filesystems/systemd-zram-service?expand=0&rev=4
---
 systemd-zram-service.changes |  6 ++++++
 zramswap.service             | 13 +++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/systemd-zram-service.changes b/systemd-zram-service.changes
index 5c1b718..043c489 100644
--- a/systemd-zram-service.changes
+++ b/systemd-zram-service.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Nov 24 12:39:05 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * zramswap.service
+
 -------------------------------------------------------------------
 Mon Dec 17 22:59:00 UTC 2018 - malcolmlewis@opensuse.org
 
diff --git a/zramswap.service b/zramswap.service
index 797e638..14376dd 100644
--- a/zramswap.service
+++ b/zramswap.service
@@ -8,6 +8,19 @@ Description=Service enabling compressing RAM with zRam
 After=multi-user.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=oneshot
 ExecStart=/usr/sbin/zramswapon
 ExecStop=/usr/sbin/zramswapoff