Overview

File 0100-harden_nvmf-connect@.service.patch of Package nvme-cli.26591

Subject: systemd hardening effort

https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

Apply the recommended hardening settings but without
"ProtectKernelTunables=true" as we need write access to /sys.

Signed-off-by: Daniel Wagner <dwagner@suse.de>
---
 nvmf-autoconnect/systemd/nvmf-connect@.service.in |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/nvmf-autoconnect/systemd/nvmf-connect@.service.in
+++ b/nvmf-autoconnect/systemd/nvmf-connect@.service.in
@@ -9,6 +9,14 @@ PartOf=nvmf-connect.target
 Requires=nvmf-connect.target
 
 [Service]
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
 Type=simple
 Environment="CONNECT_ARGS=%i"
 ExecStart=/bin/sh -c "@SBINDIR@/nvme connect-all --quiet `/bin/echo -e '${CONNECT_ARGS}'`"
openSUSE Build Service is sponsored by
Places