From a09dcbde211b23cfc1bbc5e9e3dbfdb7a24c2a439d2be6d71a705edf9cee8c57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 20 Dec 2024 16:03:10 +0100 Subject: [PATCH] Sync from SUSE:SLFO:Main corosync-qdevice revision 646b7048f17314a09aa88ad1fec2a3d4 --- ...den-services-with-systemd-sandboxing.patch | 56 ++++++++++++++++++ corosync-qdevice.changes | 6 ++ corosync-qdevice.spec | 58 +++++++++---------- 3 files changed, 91 insertions(+), 29 deletions(-) create mode 100644 0001-harden-services-with-systemd-sandboxing.patch diff --git a/0001-harden-services-with-systemd-sandboxing.patch b/0001-harden-services-with-systemd-sandboxing.patch new file mode 100644 index 0000000..545c0c3 --- /dev/null +++ b/0001-harden-services-with-systemd-sandboxing.patch @@ -0,0 +1,56 @@ +From f7b8fd41b82ef11933f2d2b0e8f54192dfbcfa18 Mon Sep 17 00:00:00 2001 +From: nicholasyang +Date: Wed, 13 Nov 2024 16:11:10 +0800 +Subject: [PATCH] harden services with systemd sandboxing + +--- + init/corosync-qdevice.service.in | 10 ++++++++++ + init/corosync-qnetd.service.in | 13 +++++++++++++ + 2 files changed, 23 insertions(+) + +diff --git a/init/corosync-qdevice.service.in b/init/corosync-qdevice.service.in +index 5ffb498..824e557 100644 +--- a/init/corosync-qdevice.service.in ++++ b/init/corosync-qdevice.service.in +@@ -14,5 +14,15 @@ Restart=on-failure + RuntimeDirectory=corosync-qdevice + RuntimeDirectoryMode=0770 + ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ + [Install] + WantedBy=multi-user.target +diff --git a/init/corosync-qnetd.service.in b/init/corosync-qnetd.service.in +index a8d6a7e..64da610 100644 +--- a/init/corosync-qnetd.service.in ++++ b/init/corosync-qnetd.service.in +@@ -16,5 +16,18 @@ Restart=on-abnormal + RuntimeDirectory=corosync-qnetd + RuntimeDirectoryMode=0770 + ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=strict ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++NoNewPrivileges=true ++ + [Install] + WantedBy=multi-user.target +-- +2.47.0 + diff --git a/corosync-qdevice.changes b/corosync-qdevice.changes index ad3e789..cad8613 100644 --- a/corosync-qdevice.changes +++ b/corosync-qdevice.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Nov 13 08:13:57 UTC 2024 - Nicholas Yang + +- Add a patch to harden services with systemd sandboxing: + * 0001-harden-services-with-systemd-sandboxing.patch + ------------------------------------------------------------------- Wed Apr 05 14:33:43 UTC 2023 - XLiang@suse.com diff --git a/corosync-qdevice.spec b/corosync-qdevice.spec index 1e2d75c..22eb8df 100644 --- a/corosync-qdevice.spec +++ b/corosync-qdevice.spec @@ -8,16 +8,13 @@ # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which -# case the license is the MIT license). An "Open Source License" is a +# case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # -# Conditionals -# Invoke "rpmbuild --without " or "rpmbuild --with " -# to disable or enable specific features %bcond_without runautogen %bcond_without systemd @@ -26,22 +23,23 @@ %global gittarver %{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}} %define _unpackaged_files_terminate_build 0 -Name: corosync-qdevice -Summary: The Corosync Cluster Engine Qdevice -Version: 3.0.3 -Release: 0%{?gitver}%{?dist} -License: BSD-3-Clause -URL: https://github.com/corosync/corosync-qdevice -Source0: https://github.com/corosync/corosync-qdevice/releases/download/v%{version}%{?gittarver}/%{name}-%{version}%{?gittarver}.tar.gz +Name: corosync-qdevice +Summary: The Corosync Cluster Engine Qdevice +Version: 3.0.3 +Release: 0%{?gitver}%{?dist} +License: BSD-3-Clause +URL: https://github.com/corosync/corosync-qdevice +Source0: https://github.com/corosync/corosync-qdevice/releases/download/v%{version}%{?gittarver}/%{name}-%{version}%{?gittarver}.tar.gz +Patch0: 0001-harden-services-with-systemd-sandboxing.patch # Runtime bits -Requires: corosync > 2.4.6 -Requires: corosync-libs > 2.4.6 -Requires: mozilla-nss-tools +Requires: corosync > 2.4.6 +Requires: corosync-libs > 2.4.6 +Requires: mozilla-nss-tools %if %{with systemd} -BuildRequires: pkgconfig(systemd) BuildRequires: systemd-devel +BuildRequires: pkgconfig(systemd) Requires(post): systemd Requires(preun): systemd Requires(postun): systemd @@ -51,29 +49,31 @@ Requires(preun): /sbin/chkconfig %endif # Build bits -BuildRequires: gcc -BuildRequires: corosync-devel > 2.4.6 -BuildRequires: libqb-devel -BuildRequires: sed +BuildRequires: gcc +BuildRequires: corosync-devel > 2.4.6 +BuildRequires: libqb-devel +BuildRequires: sed %if 0%{?suse_version} -BuildRequires: groff-full +BuildRequires: groff-full %else -BuildRequires: groff +BuildRequires: groff %endif %if 0%{?suse_version} -BuildRequires: mozilla-nss-devel +BuildRequires: mozilla-nss-devel %else -BuildRequires: nss-devel +BuildRequires: nss-devel %endif %if %{with runautogen} -BuildRequires: autoconf automake libtool +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool %endif %prep -%setup -q -n %{name}-%{version}%{?gittarver} +%autosetup -p1 -n %{name}-%{version}%{?gittarver} echo %{version} > .tarball-version echo %{version} > .version @@ -172,10 +172,10 @@ fi %{_mandir}/man8/corosync-qdevice.8* %package -n corosync-qnetd -Summary: The Corosync Cluster Engine Qdevice Network Daemon +Summary: The Corosync Cluster Engine Qdevice Network Daemon Group: System/Base -Requires: mozilla-nss-tools -Requires(pre): shadow +Requires: mozilla-nss-tools +Requires(pre): shadow Requires(pre): /usr/sbin/useradd Provides: group(coroqnetd) Provides: user(coroqnetd)