From 7f33063b384ee9aff4db7305137e4f3fa111d731eeb75b79dd9321b74054a3ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=98=D0=BB=D1=8C=D1=8F=20=D0=98=D0=BD=D0=B4=D0=B8=D0=B3?=
 =?UTF-8?q?=D0=BE?= <ilya@ilya.cf>
Date: Tue, 12 Oct 2021 14:29:14 +0000
Subject: [PATCH] Accepting request 924900 from
 home:jsegitz:branches:systemdhardening:server:http

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/924900
OBS-URL: https://build.opensuse.org/package/show/server:http/nginx?expand=0&rev=214
---
 nginx.changes |  6 ++++++
 nginx.service | 13 +++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/nginx.changes b/nginx.changes
index dedf26a..cc54544 100644
--- a/nginx.changes
+++ b/nginx.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Oct 11 09:26:39 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * nginx.service
+
 -------------------------------------------------------------------
 Fri Sep 10 17:44:54 UTC 2021 - Илья Индиго <ilya@ilya.pp.ua>
 
diff --git a/nginx.service b/nginx.service
index ff7a9d8..a9b409e 100644
--- a/nginx.service
+++ b/nginx.service
@@ -12,6 +12,19 @@ KillSignal=SIGQUIT
 TimeoutStopSec=5
 KillMode=mixed
 PrivateTmp=true
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=read-only
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 
 [Install]
 WantedBy=multi-user.target