fwupd/harden_fwupd-refresh.service.patch

Index: fwupd-1.8.9/data/motd/fwupd-refresh.service.in
===================================================================
--- fwupd-1.8.9.orig/data/motd/fwupd-refresh.service.in
+++ fwupd-1.8.9/data/motd/fwupd-refresh.service.in
@@ -13,5 +13,13 @@ SystemCallFilter=~@mount
 ProtectKernelModules=yes
 ProtectControlGroups=yes
 RestrictRealtime=yes
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+# end of automatic additions 
 SuccessExitStatus=2
 ExecStart=@bindir@/fwupdmgr refresh
Accepting request 1046691 from home:polslinux:branches:Base:System - Update to 1.8.9: + This release adds the following features: - Add an interactive request for re-inserting the USB cable - Add SHA384 support for TPM hashes - Add X-FingerprintReader, X-GraphicsTablet, X-Dock and X-UsbDock categories - Allow specifying OR parent requirements in metadata + This release fixes the following bugs: - Add the fwupd version to the HSI result if the chassis is invalid - Allow getting the ESP when there is a block device with no filesystem - Allow reinstalling on devices with only-version-upgrade set - Do not require the TPM event log to have all reconstructions - Fix a tiny memory leak when parsing signed reports - Ignore failure to mount the ESP if unsupported - Never allow using SHA-1 for checksum validation - Return a more useful error if USB recovery failed - Skip the fwupdx64.efi BootXXXX entry when measuring system integrity - Speed up daemon startup using prepared XPath queries - Suggest to turn on ThunderboltAccess for Lenovo systems - Use better defaults if the config file is missing + This release adds support for the following hardware: - More Solidigm NVMe devices - More Synaptics Cape devices - More Synaptics Prometheus devices - Most Texas Instruments USB-4 docks - Scaler support for Wacom USB devices - Several new Wistron USB-C docks OBS-URL: https://build.opensuse.org/request/show/1046691 OBS-URL: https://build.opensuse.org/package/show/Base:System/fwupd?expand=0&rev=131 2023-01-05 08:58:31 +01:00			`Index: fwupd-1.8.9/data/motd/fwupd-refresh.service.in`
Accepting request 925357 from home:jsegitz:branches:systemdhardening:Base:System Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/925357 OBS-URL: https://build.opensuse.org/package/show/Base:System/fwupd?expand=0&rev=107 2021-10-18 08:28:00 +02:00			`===================================================================`
Accepting request 1046691 from home:polslinux:branches:Base:System - Update to 1.8.9: + This release adds the following features: - Add an interactive request for re-inserting the USB cable - Add SHA384 support for TPM hashes - Add X-FingerprintReader, X-GraphicsTablet, X-Dock and X-UsbDock categories - Allow specifying OR parent requirements in metadata + This release fixes the following bugs: - Add the fwupd version to the HSI result if the chassis is invalid - Allow getting the ESP when there is a block device with no filesystem - Allow reinstalling on devices with only-version-upgrade set - Do not require the TPM event log to have all reconstructions - Fix a tiny memory leak when parsing signed reports - Ignore failure to mount the ESP if unsupported - Never allow using SHA-1 for checksum validation - Return a more useful error if USB recovery failed - Skip the fwupdx64.efi BootXXXX entry when measuring system integrity - Speed up daemon startup using prepared XPath queries - Suggest to turn on ThunderboltAccess for Lenovo systems - Use better defaults if the config file is missing + This release adds support for the following hardware: - More Solidigm NVMe devices - More Synaptics Cape devices - More Synaptics Prometheus devices - Most Texas Instruments USB-4 docks - Scaler support for Wacom USB devices - Several new Wistron USB-C docks OBS-URL: https://build.opensuse.org/request/show/1046691 OBS-URL: https://build.opensuse.org/package/show/Base:System/fwupd?expand=0&rev=131 2023-01-05 08:58:31 +01:00			`--- fwupd-1.8.9.orig/data/motd/fwupd-refresh.service.in`
			`+++ fwupd-1.8.9/data/motd/fwupd-refresh.service.in`
Accepting request 925357 from home:jsegitz:branches:systemdhardening:Base:System Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/925357 OBS-URL: https://build.opensuse.org/package/show/Base:System/fwupd?expand=0&rev=107 2021-10-18 08:28:00 +02:00			`@@ -13,5 +13,13 @@ SystemCallFilter=~@mount`
			`ProtectKernelModules=yes`
			`ProtectControlGroups=yes`
			`RestrictRealtime=yes`
			`+# added automatically, for details please see`
			`+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort`
			`+ProtectSystem=full`
			`+ProtectHome=true`
			`+ProtectHostname=true`
			`+ProtectKernelTunables=true`
			`+ProtectKernelLogs=true`
			`+# end of automatic additions`
			`SuccessExitStatus=2`
			`ExecStart=@bindir@/fwupdmgr refresh`