From c4c9c2bd0d57b9e146f23ededf59a9599282c65d0b163eb5e3985368237c0a4a Mon Sep 17 00:00:00 2001
From: Dirk Mueller <dmueller@suse.com>
Date: Sun, 17 Dec 2023 08:53:40 +0000
Subject: [PATCH] Accepting request 926707 from
 home:jsegitz:branches:systemdhardening:network

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/926707
OBS-URL: https://build.opensuse.org/package/show/network/pen?expand=0&rev=10
---
 pen.changes |  6 ++++++
 pen.service | 13 +++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/pen.changes b/pen.changes
index 4d923db..0c3c14c 100644
--- a/pen.changes
+++ b/pen.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Oct 18 14:17:33 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * pen.service
+
 -------------------------------------------------------------------
 Mon Aug 17 20:00:26 UTC 2020 - Dirk Mueller <dmueller@suse.com>
 
diff --git a/pen.service b/pen.service
index 9d9f3db..9478ff4 100644
--- a/pen.service
+++ b/pen.service
@@ -2,6 +2,19 @@
 Description=A simple load balancer for tcp based protocols
 After=time-sync.target nss-lookup.target syslog.socket remote-fs.target
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 ExecStart=/usr/share/pen/scripts/rcpen start
 ExecStop=/usr/share/pen/scripts/rcpen stop