sssd/0003-Harden-sssd-kcm.service.patch

From 1fea2a4039f9e838554abe17bbf1513a8f99f348 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 16 Oct 2024 14:05:02 +0200
Subject: [PATCH 3/4] Harden sssd-kcm.service

---
 src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
index 0c839ec5c..b403cd709 100644
--- a/src/sysv/systemd/sssd-kcm.service.in
+++ b/src/sysv/systemd/sssd-kcm.service.in
@@ -8,6 +8,19 @@ After=sssd-kcm.socket
 Also=sssd-kcm.socket
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
 Environment=DEBUG_LOGGER=--logger=files
 ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
 ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
-- 
2.46.1
Update patches for 2.10.0 2024-10-16 14:19:19 +02:00			`From 1fea2a4039f9e838554abe17bbf1513a8f99f348 Mon Sep 17 00:00:00 2001`
builds 2024-08-30 11:37:19 +02:00			`From: Samuel Cabrero <scabrero@suse.de>`
Update patches for 2.10.0 2024-10-16 14:19:19 +02:00			`Date: Wed, 16 Oct 2024 14:05:02 +0200`
			`Subject: [PATCH 3/4] Harden sssd-kcm.service`
builds 2024-08-30 11:37:19 +02:00
			`---`
			`src/sysv/systemd/sssd-kcm.service.in \| 13 +++++++++++++`
			`1 file changed, 13 insertions(+)`

			`diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in`
Update patches for 2.10.0 2024-10-16 14:19:19 +02:00			`index 0c839ec5c..b403cd709 100644`
builds 2024-08-30 11:37:19 +02:00			`--- a/src/sysv/systemd/sssd-kcm.service.in`
			`+++ b/src/sysv/systemd/sssd-kcm.service.in`
Accepting request 933479 from home:jsegitz:branches:systemdhardening:network:ldap Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/933479 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=253 2021-11-25 13:04:46 +01:00			`@@ -8,6 +8,19 @@ After=sssd-kcm.socket`
			`Also=sssd-kcm.socket`

			`[Service]`
			`+# added automatically, for details please see`
			`+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort`
			`+ProtectSystem=full`
			`+ProtectHome=true`
			`+PrivateDevices=true`
			`+ProtectHostname=true`
			`+ProtectClock=true`
			`+ProtectKernelTunables=true`
			`+ProtectKernelModules=true`
			`+ProtectKernelLogs=true`
			`+ProtectControlGroups=true`
			`+RestrictRealtime=true`
builds 2024-08-30 11:37:19 +02:00			`+# end of automatic additions`
Accepting request 933479 from home:jsegitz:branches:systemdhardening:network:ldap Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/933479 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=253 2021-11-25 13:04:46 +01:00			`Environment=DEBUG_LOGGER=--logger=files`
Update patches for 2.10.0 2024-10-16 14:19:19 +02:00			`ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@`
builds 2024-08-30 11:37:19 +02:00			`ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf`
			`--`
Update patches for 2.10.0 2024-10-16 14:19:19 +02:00			`2.46.1`
builds 2024-08-30 11:37:19 +02:00