From 75dc410eed5b37804b68126755fbb579e5ddc1fb1c72c0550093e4919f64cde6 Mon Sep 17 00:00:00 2001
From: andrea florio <andrea@opensuse.org>
Date: Tue, 15 Feb 2022 10:22:08 +0000
Subject: [PATCH] Accepting request 934995 from
 home:jsegitz:branches:systemdhardening:hardware

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/934995
OBS-URL: https://build.opensuse.org/package/show/hardware/usb_modeswitch?expand=0&rev=81
---
 harden_usb_modeswitch@.service.patch | 22 ++++++++++++++++++++++
 usb_modeswitch.changes               |  6 ++++++
 usb_modeswitch.spec                  |  2 ++
 3 files changed, 30 insertions(+)
 create mode 100644 harden_usb_modeswitch@.service.patch

diff --git a/harden_usb_modeswitch@.service.patch b/harden_usb_modeswitch@.service.patch
new file mode 100644
index 0000000..7c92935
--- /dev/null
+++ b/harden_usb_modeswitch@.service.patch
@@ -0,0 +1,22 @@
+Index: usb-modeswitch-2.6.1/usb_modeswitch@.service
+===================================================================
+--- usb-modeswitch-2.6.1.orig/usb_modeswitch@.service
++++ usb-modeswitch-2.6.1/usb_modeswitch@.service
+@@ -2,6 +2,17 @@
+ Description=USB_ModeSwitch_%i
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Type=oneshot
+ ExecStart=/usr/sbin/usb_modeswitch_dispatcher --switch-mode %i
+ # Testing
diff --git a/usb_modeswitch.changes b/usb_modeswitch.changes
index 88e5ad2..5b4084a 100644
--- a/usb_modeswitch.changes
+++ b/usb_modeswitch.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Nov 26 12:00:38 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_usb_modeswitch@.service.patch
+
 -------------------------------------------------------------------
 Thu Sep 17 06:17:44 UTC 2020 - Dirk Mueller <dmueller@suse.com>
 
diff --git a/usb_modeswitch.spec b/usb_modeswitch.spec
index 63ea315..3c1ca42 100644
--- a/usb_modeswitch.spec
+++ b/usb_modeswitch.spec
@@ -31,6 +31,7 @@ Source1:        https://www.draisberghof.de/usb_modeswitch/%{source_name}-data-%
 Source2:        https://www.draisberghof.de/usb_modeswitch/device_reference.txt
 Source3:        https://www.draisberghof.de/usb_modeswitch/parameter_reference.txt
 Patch1:         usb_modeswitch-fix_fsf_address.patch
+Patch2:	harden_usb_modeswitch@.service.patch
 BuildRequires:  fdupes
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(libusb-1.0)
@@ -59,6 +60,7 @@ Data files for usb_modeswitch package.
 %prep
 %setup -q -a1 -n %{source_name}-%{version}
 %patch1
+%patch2 -p1
 
 cp %{SOURCE2} .
 cp %{SOURCE3} .