From adae004c7178a00d3213aa426eef1d879ec51072 Mon Sep 17 00:00:00 2001
From: Martin Belanger <martin.belanger@dell.com>
Date: Mon, 29 Apr 2024 13:47:38 -0400
Subject: [PATCH] systemd: Harden stafd/stacd service files

Signed-off-by: Martin Belanger <martin.belanger@dell.com>
---
 usr/lib/systemd/system/stacd.in.service | 9 +++++++++
 usr/lib/systemd/system/stafd.in.service | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/usr/lib/systemd/system/stacd.in.service b/usr/lib/systemd/system/stacd.in.service
index 77a4ad5..dae6620 100644
--- a/usr/lib/systemd/system/stacd.in.service
+++ b/usr/lib/systemd/system/stacd.in.service
@@ -28,5 +28,14 @@ RuntimeDirectory=stacd
 CacheDirectory=stacd
 RuntimeDirectoryPreserve=yes
 
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectProc=invisible
+RestrictRealtime=true
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+
 [Install]
 WantedBy=multi-user.target
diff --git a/usr/lib/systemd/system/stafd.in.service b/usr/lib/systemd/system/stafd.in.service
index 01ddc2b..9e31685 100644
--- a/usr/lib/systemd/system/stafd.in.service
+++ b/usr/lib/systemd/system/stafd.in.service
@@ -31,5 +31,14 @@ RuntimeDirectory=stafd
 CacheDirectory=stafd
 RuntimeDirectoryPreserve=yes
 
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectProc=invisible
+RestrictRealtime=true
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+
 [Install]
 WantedBy=multi-user.target