From 87b89ebc60e6e99fe7595157aa7f2a56d637d4e837c01653a7ed2dfbc1e1e6bc Mon Sep 17 00:00:00 2001
From: Al Cho <acho@suse.com>
Date: Wed, 13 Oct 2021 07:22:45 +0000
Subject: [PATCH] Accepting request 924889 from
 home:jsegitz:branches:systemdhardening:hardware

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/924889
OBS-URL: https://build.opensuse.org/package/show/hardware/neard?expand=0&rev=25
---
 harden_neard.service.patch | 23 +++++++++++++++++++++++
 neard.changes              |  8 ++++++++
 neard.service              | 12 ++++++++++++
 neard.spec                 |  2 ++
 4 files changed, 45 insertions(+)
 create mode 100644 harden_neard.service.patch

diff --git a/harden_neard.service.patch b/harden_neard.service.patch
new file mode 100644
index 0000000..98931f3
--- /dev/null
+++ b/harden_neard.service.patch
@@ -0,0 +1,23 @@
+Index: neard-0.16/src/neard.service.in
+===================================================================
+--- neard-0.16.orig/src/neard.service.in
++++ neard-0.16/src/neard.service.in
+@@ -3,6 +3,18 @@ Description=neard service
+ Documentation=man:neard(8)
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Type=dbus
+ BusName=org.neard
+ ExecStart=@pkglibexecdir@/neard -n
diff --git a/neard.changes b/neard.changes
index 5a64469..7cc6d7c 100644
--- a/neard.changes
+++ b/neard.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Oct 11 07:29:41 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_neard.service.patch
+  Modified:
+  * neard.service
+
 -------------------------------------------------------------------
 Sun Aug 16 20:04:59 UTC 2020 - Dirk Mueller <dmueller@suse.com>
 
diff --git a/neard.service b/neard.service
index 570b7bc..848e1f5 100644
--- a/neard.service
+++ b/neard.service
@@ -3,6 +3,18 @@ Description=neard service
 Documentation=man:neard(8)
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=dbus
 BusName=org.neard
 ExecStart=/usr/lib/nfc/neard -n
diff --git a/neard.spec b/neard.spec
index e0808f2..9968ea4 100644
--- a/neard.spec
+++ b/neard.spec
@@ -29,6 +29,7 @@ Source:         https://www.kernel.org/pub/linux/network/nfc/neard-%{version}.ta
 Source1:        neard.service
 Source2:        99-neard.rules
 Patch1:         neard-0.13-fix-dbus_send_destination_config.patch
+Patch2:	harden_neard.service.patch
 BuildRequires:  automake
 BuildRequires:  check-devel
 BuildRequires:  libtool
@@ -62,6 +63,7 @@ Files needed to test applications for the NFC stack.
 %prep
 %setup -q
 %patch1 -p1
+%patch2 -p1
 
 %build
 autoreconf -fiv