Accepting request 919467 from home:jsegitz:branches:systemdhardening:M17N

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/919467
OBS-URL: https://build.opensuse.org/package/show/M17N/fwnn?expand=0&rev=31

fcwnn.service

@@ -3,6 +3,19 @@ ConditionPathExists=/etc/FreeWnn/zh_CN/cserverrc
 Description=Free Wnn (mainland) Chinese Server, for input of simplified Chinese
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 User=wnn
 ExecStartPre=/bin/rm -f /tmp/cd_sockV4

fkwnn.service

@@ -3,6 +3,19 @@ ConditionPathExists=/etc/FreeWnn/ko_KR/kserverrc
 Description=Free Wnn Korean Server, for input of Korean
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 User=wnn
 ExecStartPre=/bin/rm -f /tmp/kd_sockV4

ftwnn.service

@@ -3,6 +3,19 @@ ConditionPathExists=/etc/FreeWnn/zh_TW/tserverrc
 Description=Free Wnn Taiwan-Chinese Server, for input of traditional Chinese
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 User=wnn
 ExecStartPre=/bin/rm -f /tmp/td_sockV4

fwnn.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu Sep 16 07:16:15 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * fcwnn.service
+  * fkwnn.service
+  * ftwnn.service
+  * fwnn.service
+
 -------------------------------------------------------------------
 Wed Aug 21 13:31:28 UTC 2019 - Berthold Gunreben <azouhr@opensuse.org>
 

fwnn.service

@@ -3,6 +3,19 @@ ConditionPathExists=/etc/FreeWnn/ja/jserverrc
 Description=Free Wnn Kanji Server used for input of Japanese
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 User=wnn
 ExecStartPre=/bin/rm -f /tmp/jd_sockV4