From 077335e24c42be8e691c868eeef4e7529eca284306de696cf474d6d7064267d6 Mon Sep 17 00:00:00 2001
From: Martin Pluskal <mpluskal@suse.com>
Date: Mon, 22 Nov 2021 10:12:27 +0000
Subject: [PATCH] Accepting request 932210 from
 home:jsegitz:branches:systemdhardening:server:proxy

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/932210
OBS-URL: https://build.opensuse.org/package/show/server:proxy/shadowsocks-libev?expand=0&rev=48
---
 shadowsocks-libev-client.service  | 13 +++++++++++++
 shadowsocks-libev-client@.service | 13 +++++++++++++
 shadowsocks-libev-manager.service | 13 +++++++++++++
 shadowsocks-libev-nat.service     | 13 +++++++++++++
 shadowsocks-libev-nat@.service    | 13 +++++++++++++
 shadowsocks-libev-redir.service   | 13 +++++++++++++
 shadowsocks-libev-redir@.service  | 13 +++++++++++++
 shadowsocks-libev-server.service  | 13 +++++++++++++
 shadowsocks-libev-server@.service | 13 +++++++++++++
 shadowsocks-libev-tunnel.service  | 13 +++++++++++++
 shadowsocks-libev-tunnel@.service | 13 +++++++++++++
 shadowsocks-libev.changes         | 16 ++++++++++++++++
 12 files changed, 159 insertions(+)

diff --git a/shadowsocks-libev-client.service b/shadowsocks-libev-client.service
index fdcaa98..33ad664 100644
--- a/shadowsocks-libev-client.service
+++ b/shadowsocks-libev-client.service
@@ -4,6 +4,19 @@ Wants=network-online.target
 After=network.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 PIDFile=/var/run/shadowsocks-libev-client.pid
 ExecStart=/usr/bin/ss-local -c /etc/shadowsocks/shadowsocks-libev-config.json -f /var/run/shadowsocks-libev-client.pid -u --fast-open
diff --git a/shadowsocks-libev-client@.service b/shadowsocks-libev-client@.service
index b16e82a..8d9e79a 100644
--- a/shadowsocks-libev-client@.service
+++ b/shadowsocks-libev-client@.service
@@ -4,6 +4,19 @@ Wants=network-online.target
 After=network.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 PIDFile=/var/run/shadowsocks-libev-client@%i.pid
 ExecStart=/usr/bin/ss-local -c /etc/shadowsocks/%i.json -f /var/run/shadowsocks-libev-client@%i.pid -u --fast-open
diff --git a/shadowsocks-libev-manager.service b/shadowsocks-libev-manager.service
index f3dad84..334c229 100644
--- a/shadowsocks-libev-manager.service
+++ b/shadowsocks-libev-manager.service
@@ -4,6 +4,19 @@ Wants=network-online.target
 After=network.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 PIDFile=/var/run/shadowsocks-libev-manager.pid
 ExecStart=/usr/bin/ss-manager -c /etc/shadowsocks/shadowsocks-libev-config.json -f /var/run/shadowsocks-libev-manager.pid -u --fast-open
diff --git a/shadowsocks-libev-nat.service b/shadowsocks-libev-nat.service
index 994fd47..961463d 100644
--- a/shadowsocks-libev-nat.service
+++ b/shadowsocks-libev-nat.service
@@ -4,6 +4,19 @@ Wants=network-online.target
 After=network.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 PIDFile=/var/run/shadowsocks-libev-nat.pid
 ExecStart=/usr/bin/ss-nat -c /etc/shadowsocks/shadowsocks-libev-config.json -f /var/run/shadowsocks-libev-nat.pid -u --fast-open
diff --git a/shadowsocks-libev-nat@.service b/shadowsocks-libev-nat@.service
index 5019cf9..76ea729 100644
--- a/shadowsocks-libev-nat@.service
+++ b/shadowsocks-libev-nat@.service
@@ -4,6 +4,19 @@ Wants=network-online.target
 After=network.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 PIDFile=/var/run/shadowsocks-libev-nat@%i.pid
 ExecStart=/usr/bin/ss-nat -c /etc/shadowsocks/%i.json -f /var/run/shadowsocks-libev-nat@%i.pid -u --fast-open
diff --git a/shadowsocks-libev-redir.service b/shadowsocks-libev-redir.service
index b11023f..6e0e9e3 100644
--- a/shadowsocks-libev-redir.service
+++ b/shadowsocks-libev-redir.service
@@ -4,6 +4,19 @@ Wants=network-online.target
 After=network.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 PIDFile=/var/run/shadowsocks-libev-redir.pid
 ExecStart=/usr/bin/ss-redir -c /etc/shadowsocks/shadowsocks-libev-config.json -f /var/run/shadowsocks-libev-redir.pid -u --fast-open
diff --git a/shadowsocks-libev-redir@.service b/shadowsocks-libev-redir@.service
index 9e4c027..5c6896a 100644
--- a/shadowsocks-libev-redir@.service
+++ b/shadowsocks-libev-redir@.service
@@ -4,6 +4,19 @@ Wants=network-online.target
 After=network.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 PIDFile=/var/run/shadowsocks-libev-redir@%i.pid
 ExecStart=/usr/bin/ss-redir -c /etc/shadowsocks/%i.json -f /var/run/shadowsocks-libev-redir@%i.pid -u --fast-open
diff --git a/shadowsocks-libev-server.service b/shadowsocks-libev-server.service
index 6f484ec..f08c3e0 100644
--- a/shadowsocks-libev-server.service
+++ b/shadowsocks-libev-server.service
@@ -4,6 +4,19 @@ Wants=network-online.target
 After=network.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 PIDFile=/var/run/shadowsocks-libev-server.pid
 ExecStart=/usr/bin/ss-server -c /etc/shadowsocks/shadowsocks-libev-config.json -f /var/run/shadowsocks-libev-server.pid -u --fast-open
diff --git a/shadowsocks-libev-server@.service b/shadowsocks-libev-server@.service
index 348a527..e9ed491 100644
--- a/shadowsocks-libev-server@.service
+++ b/shadowsocks-libev-server@.service
@@ -4,6 +4,19 @@ Wants=network-online.target
 After=network.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 PIDFile=/var/run/shadowsocks-libev-server@%i.pid
 ExecStart=/usr/bin/ss-server -c /etc/shadowsocks/%i.json -f /var/run/shadowsocks-libev-server@%i.pid -u --fast-open
diff --git a/shadowsocks-libev-tunnel.service b/shadowsocks-libev-tunnel.service
index 976db53..a3ad0bb 100644
--- a/shadowsocks-libev-tunnel.service
+++ b/shadowsocks-libev-tunnel.service
@@ -4,6 +4,19 @@ Wants=network-online.target
 After=network.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 PIDFile=/var/run/shadowsocks-libev-tunnel.pid
 ExecStart=/usr/bin/ss-tunnel -c /etc/shadowsocks/shadowsocks-libev-config.json -f /var/run/shadowsocks-libev-tunnel.pid -u --fast-open
diff --git a/shadowsocks-libev-tunnel@.service b/shadowsocks-libev-tunnel@.service
index 8b09578..ff6cddd 100644
--- a/shadowsocks-libev-tunnel@.service
+++ b/shadowsocks-libev-tunnel@.service
@@ -4,6 +4,19 @@ Wants=network-online.target
 After=network.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 PIDFile=/var/run/shadowsocks-libev-tunnel@%i.pid
 ExecStart=/usr/bin/ss-tunnel -c /etc/shadowsocks/%i.json -f /var/run/shadowsocks-libev-tunnel@%i.pid -u --fast-open
diff --git a/shadowsocks-libev.changes b/shadowsocks-libev.changes
index 196e0f8..7c71e10 100644
--- a/shadowsocks-libev.changes
+++ b/shadowsocks-libev.changes
@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Tue Nov 16 16:05:33 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * shadowsocks-libev-client.service
+  * shadowsocks-libev-client@.service
+  * shadowsocks-libev-manager.service
+  * shadowsocks-libev-nat.service
+  * shadowsocks-libev-nat@.service
+  * shadowsocks-libev-redir.service
+  * shadowsocks-libev-redir@.service
+  * shadowsocks-libev-server.service
+  * shadowsocks-libev-server@.service
+  * shadowsocks-libev-tunnel.service
+  * shadowsocks-libev-tunnel@.service
+
 -------------------------------------------------------------------
 Sat Sep 19 10:47:47 UTC 2020 - opensuse-packaging <opensuse-packaging@opensuse.org>