From 46bf221fbf3684ccfa8202dc7825436083fd97f01383fbd97861e6d88f2d740f Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Thu, 25 Nov 2021 12:04:46 +0000
Subject: [PATCH] Accepting request 933479 from
 home:jsegitz:branches:systemdhardening:network:ldap

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/933479
OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=253
---
 harden_sssd-ifp.service.patch | 24 ++++++++++++++++++++++++
 harden_sssd-kcm.service.patch | 24 ++++++++++++++++++++++++
 sssd.changes                  |  7 +++++++
 sssd.spec                     |  2 ++
 4 files changed, 57 insertions(+)
 create mode 100644 harden_sssd-ifp.service.patch
 create mode 100644 harden_sssd-kcm.service.patch

diff --git a/harden_sssd-ifp.service.patch b/harden_sssd-ifp.service.patch
new file mode 100644
index 0000000..250a49f
--- /dev/null
+++ b/harden_sssd-ifp.service.patch
@@ -0,0 +1,24 @@
+Index: sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in
+===================================================================
+--- sssd-2.5.2.orig/src/sysv/systemd/sssd-ifp.service.in
++++ sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in
+@@ -5,6 +5,19 @@ After=sssd.service
+ BindsTo=sssd.service
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Environment=DEBUG_LOGGER=--logger=files
+ EnvironmentFile=-@environment_file@
+ Type=dbus
diff --git a/harden_sssd-kcm.service.patch b/harden_sssd-kcm.service.patch
new file mode 100644
index 0000000..183e0b0
--- /dev/null
+++ b/harden_sssd-kcm.service.patch
@@ -0,0 +1,24 @@
+Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
+===================================================================
+--- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in
++++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
+@@ -8,6 +8,19 @@ After=sssd-kcm.socket
+ Also=sssd-kcm.socket
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Environment=DEBUG_LOGGER=--logger=files
+ ExecStartPre=-@sbindir@/sssd --genconf-section=kcm
+ ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}
diff --git a/sssd.changes b/sssd.changes
index d0ecbb7..c52be41 100644
--- a/sssd.changes
+++ b/sssd.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Nov 23 16:11:48 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_sssd-ifp.service.patch
+  * harden_sssd-kcm.service.patch
+
 -------------------------------------------------------------------
 Tue Nov  9 15:35:58 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
 
diff --git a/sssd.spec b/sssd.spec
index d3c46a4..63d8953 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -29,6 +29,8 @@ Source2:        https://github.com/SSSD/sssd/releases/download/%version/%name-%v
 Source3:        baselibs.conf
 Source5:        %name.keyring
 Patch1:         krb-noversion.diff
+Patch2:	harden_sssd-ifp.service.patch
+Patch3:	harden_sssd-kcm.service.patch
 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake
 BuildRequires:  bind-utils