From 0e5610efdcbd74662382034c91b628e2a64b9b597810f7e892365723352cb4c1 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Sat, 27 Nov 2021 14:21:41 +0000
Subject: [PATCH] Accepting request 933481 from
 home:jsegitz:branches:systemdhardening:network:vpn

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/933481
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=129
---
 harden_strongswan.service.patch | 22 ++++++++++++++++++++++
 strongswan.changes              |  6 ++++++
 strongswan.spec                 |  2 ++
 3 files changed, 30 insertions(+)
 create mode 100644 harden_strongswan.service.patch

diff --git a/harden_strongswan.service.patch b/harden_strongswan.service.patch
new file mode 100644
index 0000000..08c57b5
--- /dev/null
+++ b/harden_strongswan.service.patch
@@ -0,0 +1,22 @@
+Index: strongswan-5.9.3/init/systemd/strongswan.service.in
+===================================================================
+--- strongswan-5.9.3.orig/init/systemd/strongswan.service.in
++++ strongswan-5.9.3/init/systemd/strongswan.service.in
+@@ -3,6 +3,17 @@ Description=strongSwan IPsec IKEv1/IKEv2
+ After=network-online.target
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Type=notify
+ ExecStart=@SBINDIR@/charon-systemd
+ ExecStartPost=@SBINDIR@/swanctl --load-all --noprompt
diff --git a/strongswan.changes b/strongswan.changes
index c8b3704..0cb9df8 100644
--- a/strongswan.changes
+++ b/strongswan.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Nov 24 08:25:29 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_strongswan.service.patch
+
 -------------------------------------------------------------------
 Mon Nov 22 16:19:08 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
 
diff --git a/strongswan.spec b/strongswan.spec
index df3da84..cb7bec7 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -80,6 +80,7 @@ Patch2:         %{name}_ipsec_service.patch
 Patch3:         %{name}_fipscheck.patch
 %endif
 Patch5:         0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
+Patch6:	harden_strongswan.service.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison
 BuildRequires:  curl-devel
@@ -267,6 +268,7 @@ sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \
      < %{_sourcedir}/fipscheck.sh.in        \
      > _fipscheck
 %endif
+%patch6 -p1
 
 %build
 CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"