From 3262458610f1ae9686cee3e93d13565accd9af9ea94deb377871e632333455d3 Mon Sep 17 00:00:00 2001
From: Lars Vogdt <lrupp@suse.com>
Date: Fri, 29 Oct 2021 14:01:56 +0000
Subject: [PATCH] Accepting request 923533 from
 home:jsegitz:branches:systemdhardening:server:database

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/923533
OBS-URL: https://build.opensuse.org/package/show/server:database/mariadb?expand=0&rev=281
---
 harden_mariadb.service.patch | 21 +++++++++++++++++++++
 mariadb.changes              |  8 ++++++++
 mariadb.service.in           | 11 +++++++++++
 mariadb.spec                 |  2 ++
 4 files changed, 42 insertions(+)
 create mode 100644 harden_mariadb.service.patch

diff --git a/harden_mariadb.service.patch b/harden_mariadb.service.patch
new file mode 100644
index 0000000..dbe7d1a
--- /dev/null
+++ b/harden_mariadb.service.patch
@@ -0,0 +1,21 @@
+Index: mariadb-10.6.4/support-files/mariadb.service.in
+===================================================================
+--- mariadb-10.6.4.orig/support-files/mariadb.service.in
++++ mariadb-10.6.4/support-files/mariadb.service.in
+@@ -29,6 +29,16 @@ WantedBy=multi-user.target
+ 
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ 
+ ##############################################################################
+ ## Core requirements
diff --git a/mariadb.changes b/mariadb.changes
index 2ccea42..31ee651 100644
--- a/mariadb.changes
+++ b/mariadb.changes
@@ -3,6 +3,14 @@ Thu Oct  7 15:02:44 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>
 
 - Fix socket address in mariadb@.socket file
 
+-------------------------------------------------------------------
+Wed Oct  6 11:43:40 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_mariadb.service.patch
+  Modified:
+  * mariadb.service.in
+
 -------------------------------------------------------------------
 Mon Sep 20 09:01:17 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>
 
diff --git a/mariadb.service.in b/mariadb.service.in
index 993c6d3..21d4d8e 100644
--- a/mariadb.service.in
+++ b/mariadb.service.in
@@ -63,6 +63,17 @@ ProtectSystem=full
 
 # Prevent accessing /home, /root and /run/user
 ProtectHome=true
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 
 # Execute pre and post scripts as root, otherwise it does it as User=
 PermissionsStartOnly=true
diff --git a/mariadb.spec b/mariadb.spec
index 039108d..cae1199 100644
--- a/mariadb.spec
+++ b/mariadb.spec
@@ -79,6 +79,7 @@ Patch4:         mariadb-10.2.4-fortify-and-O.patch
 Patch5:         mariadb-10.2.19-link-and-enable-c++11-atomics.patch
 Patch6:         mariadb-10.4.12-harden_setuid.patch
 Patch7:         mariadb-10.4.12-fix-install-db.patch
+Patch8:	harden_mariadb.service.patch
 # needed for bison SQL parser and wsrep API
 BuildRequires:  bison
 BuildRequires:  cmake
@@ -364,6 +365,7 @@ find . -name "*.jar" -type f -exec rm --verbose -f {} \;
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
 
 cp %{_sourcedir}/suse-test-run .