diff --git a/harden_tvheadend.service.patch b/harden_tvheadend.service.patch
new file mode 100644
index 0000000..b5cacc9
--- /dev/null
+++ b/harden_tvheadend.service.patch
@@ -0,0 +1,22 @@
+Index: tvheadend-4.2.8/rpm/tvheadend.service
+===================================================================
+--- tvheadend-4.2.8.orig/rpm/tvheadend.service
++++ tvheadend-4.2.8/rpm/tvheadend.service
+@@ -3,6 +3,17 @@ Description=Tvheadend - a TV streaming s
+ After=network.target auditd.service
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ EnvironmentFile=/etc/sysconfig/tvheadend
+ ExecStart=/usr/bin/tvheadend -f -p /run/tvheadend.pid $OPTIONS
+ PIDFile=/run/tvheadend.pid
diff --git a/tvheadend.changes b/tvheadend.changes
index 6989598..b8f26d2 100644
--- a/tvheadend.changes
+++ b/tvheadend.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Nov 25 15:22:11 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_tvheadend.service.patch
+
 -------------------------------------------------------------------
 Fri Jun 12 12:49:02 UTC 2020 - Martin Pluskal <mpluskal@suse.com>
 
diff --git a/tvheadend.spec b/tvheadend.spec
index 157aa73..0a33a11 100644
--- a/tvheadend.spec
+++ b/tvheadend.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package tvheadend
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 # Copyright (c) 2016 Packman Team <packman@links2linux.de>
 #
 # All modifications and additions to the file contributed by third parties
@@ -39,6 +39,7 @@ Source4:        dvb-scan-git20190112.tar.gz
 Patch2:         %{name}-fix-service-dependency.patch
 # PATCH-FIX-UPSTREAM -- fix unsufficient configure checks when using LTO (check optimized away)
 Patch3:         fix_configure_checks_with_LTO.patch
+Patch4:         harden_tvheadend.service.patch
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  pkgconfig
@@ -69,6 +70,7 @@ day-to-day operations, such as searching the electronic program guide
 %setup -q
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 
 sed -e "s/-u \([^ ]*\) -g \([^ ]*\)/-u %{htsuser} -g %{htsgroup}/" -i rpm/%{name}.sysconfig
 sed -e '/^TVH_ARGS/cTVH_ARGS="-C"' -i debian/%{name}.default