From e57e6f060f33298e1c8f95a2f57ba977404b0523f320cb8f03bb319c3e8f7732 Mon Sep 17 00:00:00 2001
From: Dirk Mueller <dmueller@suse.com>
Date: Fri, 26 Nov 2021 18:04:27 +0000
Subject: [PATCH] Accepting request 933785 from
 home:jsegitz:branches:systemdhardening:Base:System

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/933785
OBS-URL: https://build.opensuse.org/package/show/Base:System/tgt?expand=0&rev=50
---
 harden_tgtd.service.patch | 20 ++++++++++++++++++++
 tgt.changes               |  8 ++++++++
 tgt.spec                  |  2 ++
 tgtd.service              |  9 +++++++++
 4 files changed, 39 insertions(+)
 create mode 100644 harden_tgtd.service.patch

diff --git a/harden_tgtd.service.patch b/harden_tgtd.service.patch
new file mode 100644
index 0000000..5d933f2
--- /dev/null
+++ b/harden_tgtd.service.patch
@@ -0,0 +1,20 @@
+Index: tgt-1.0.74/scripts/tgtd.service
+===================================================================
+--- tgt-1.0.74.orig/scripts/tgtd.service
++++ tgt-1.0.74/scripts/tgtd.service
+@@ -9,6 +9,15 @@ After=network.target
+ ConditionPathExists=/etc/tgt/targets.conf
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelLogs=true
++RestrictRealtime=true
++# end of automatic additions 
+ Type=forking
+ Environment=TGTD_CONFIG=/etc/tgt/targets.conf
+ 
diff --git a/tgt.changes b/tgt.changes
index 774f0ac..38f96a5 100644
--- a/tgt.changes
+++ b/tgt.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Nov 24 15:09:05 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_tgtd.service.patch
+  Modified:
+  * tgtd.service
+
 -------------------------------------------------------------------
 Fri Jul 26 12:21:06 UTC 2019 - matthias.gerstner@suse.com
 
diff --git a/tgt.spec b/tgt.spec
index 499bbbe..763d467 100644
--- a/tgt.spec
+++ b/tgt.spec
@@ -35,6 +35,7 @@ Patch1:         %{name}-fix-build
 Patch2:         setup-tgt-conf-d.patch
 Patch3:         %{name}-include-sys-macros-for-major.patch
 Patch4:         %{name}-Fix-gcc7-string-truncation-warnings.patch
+Patch5:	harden_tgtd.service.patch
 BuildRequires:  docbook-xsl-stylesheets
 BuildRequires:  libaio-devel
 BuildRequires:  libxslt
@@ -59,6 +60,7 @@ user-space daemon and tools (i.e. they completely runs in user space).
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 
 %build
 %ifarch ppc ppc64 ppc64le
diff --git a/tgtd.service b/tgtd.service
index 81d1834..0b1c4b8 100644
--- a/tgtd.service
+++ b/tgtd.service
@@ -3,6 +3,15 @@ Description=tgt admin
 After=network.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+RestrictRealtime=true
+# end of automatic additions 
 EnvironmentFile=-/etc/sysconfig/tgt
 Type=forking
 User=root