Accepting request 919467 from home:jsegitz:branches:systemdhardening:M17N

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/919467 OBS-URL: https://build.opensuse.org/package/show/M17N/fwnn?expand=0&rev=31
2021-09-18 14:36:29 +00:00 · 2021-09-18 14:36:29 +00:00 · 35a636bf63
commit 35a636bf63
parent 0c134864c5
5 changed files with 61 additions and 0 deletions
--- a/fcwnn.service
+++ b/fcwnn.service
@ -3,6 +3,19 @@ ConditionPathExists=/etc/FreeWnn/zh_CN/cserverrc
 Description=Free Wnn (mainland) Chinese Server, for input of simplified Chinese

 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 User=wnn
 ExecStartPre=/bin/rm -f /tmp/cd_sockV4
--- a/fkwnn.service
+++ b/fkwnn.service
@ -3,6 +3,19 @@ ConditionPathExists=/etc/FreeWnn/ko_KR/kserverrc
 Description=Free Wnn Korean Server, for input of Korean

 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 User=wnn
 ExecStartPre=/bin/rm -f /tmp/kd_sockV4
--- a/ftwnn.service
+++ b/ftwnn.service
@ -3,6 +3,19 @@ ConditionPathExists=/etc/FreeWnn/zh_TW/tserverrc
 Description=Free Wnn Taiwan-Chinese Server, for input of traditional Chinese

 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 User=wnn
 ExecStartPre=/bin/rm -f /tmp/td_sockV4
--- a/fwnn.changes
+++ b/fwnn.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu Sep 16 07:16:15 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * fcwnn.service
+  * fkwnn.service
+  * ftwnn.service
+  * fwnn.service
+
 -------------------------------------------------------------------
 Wed Aug 21 13:31:28 UTC 2019 - Berthold Gunreben <azouhr@opensuse.org>

--- a/fwnn.service
+++ b/fwnn.service
@ -3,6 +3,19 @@ ConditionPathExists=/etc/FreeWnn/ja/jserverrc
 Description=Free Wnn Kanji Server used for input of Japanese

 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 User=wnn
 ExecStartPre=/bin/rm -f /tmp/jd_sockV4