Overview

File 0001-harden-services-with-systemd-sandboxing.patch of Package corosync-qdevice

From e9f0bf98fee6efe53c060d463501ed3ea95335a6 Mon Sep 17 00:00:00 2001
From: nicholasyang <nicholas.yang@suse.com>
Date: Mon, 28 Apr 2025 12:28:51 +0800
Subject: [PATCH] harden services with systemd sandboxing

---
 init/corosync-qdevice.service.in | 10 ++++++++++
 init/corosync-qnetd.service.in   | 12 ++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/init/corosync-qdevice.service.in b/init/corosync-qdevice.service.in
index 5ffb498..824e557 100644
--- a/init/corosync-qdevice.service.in
+++ b/init/corosync-qdevice.service.in
@@ -14,5 +14,15 @@ Restart=on-failure
 RuntimeDirectory=corosync-qdevice
 RuntimeDirectoryMode=0770
 
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+
 [Install]
 WantedBy=multi-user.target
diff --git a/init/corosync-qnetd.service.in b/init/corosync-qnetd.service.in
index a8d6a7e..6e84b02 100644
--- a/init/corosync-qnetd.service.in
+++ b/init/corosync-qnetd.service.in
@@ -16,5 +16,17 @@ Restart=on-abnormal
 RuntimeDirectory=corosync-qnetd
 RuntimeDirectoryMode=0770
 
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=strict
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+
 [Install]
 WantedBy=multi-user.target
-- 
2.49.0
openSUSE Build Service is sponsored by
Places