Sync from SUSE:SLFO:Main corosync-qdevice revision 646b7048f17314a09aa88ad1fec2a3d4
This commit is contained in:
parent
a646f630bf
commit
a09dcbde21
56
0001-harden-services-with-systemd-sandboxing.patch
Normal file
56
0001-harden-services-with-systemd-sandboxing.patch
Normal file
@ -0,0 +1,56 @@
|
||||
From f7b8fd41b82ef11933f2d2b0e8f54192dfbcfa18 Mon Sep 17 00:00:00 2001
|
||||
From: nicholasyang <nicholas.yang@suse.com>
|
||||
Date: Wed, 13 Nov 2024 16:11:10 +0800
|
||||
Subject: [PATCH] harden services with systemd sandboxing
|
||||
|
||||
---
|
||||
init/corosync-qdevice.service.in | 10 ++++++++++
|
||||
init/corosync-qnetd.service.in | 13 +++++++++++++
|
||||
2 files changed, 23 insertions(+)
|
||||
|
||||
diff --git a/init/corosync-qdevice.service.in b/init/corosync-qdevice.service.in
|
||||
index 5ffb498..824e557 100644
|
||||
--- a/init/corosync-qdevice.service.in
|
||||
+++ b/init/corosync-qdevice.service.in
|
||||
@@ -14,5 +14,15 @@ Restart=on-failure
|
||||
RuntimeDirectory=corosync-qdevice
|
||||
RuntimeDirectoryMode=0770
|
||||
|
||||
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
+ProtectSystem=full
|
||||
+ProtectHome=true
|
||||
+PrivateDevices=true
|
||||
+ProtectHostname=true
|
||||
+ProtectClock=true
|
||||
+ProtectKernelTunables=true
|
||||
+ProtectKernelModules=true
|
||||
+ProtectKernelLogs=true
|
||||
+
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
diff --git a/init/corosync-qnetd.service.in b/init/corosync-qnetd.service.in
|
||||
index a8d6a7e..64da610 100644
|
||||
--- a/init/corosync-qnetd.service.in
|
||||
+++ b/init/corosync-qnetd.service.in
|
||||
@@ -16,5 +16,18 @@ Restart=on-abnormal
|
||||
RuntimeDirectory=corosync-qnetd
|
||||
RuntimeDirectoryMode=0770
|
||||
|
||||
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
+ProtectSystem=strict
|
||||
+ProtectHome=true
|
||||
+PrivateDevices=true
|
||||
+ProtectHostname=true
|
||||
+ProtectClock=true
|
||||
+ProtectKernelTunables=true
|
||||
+ProtectKernelModules=true
|
||||
+ProtectKernelLogs=true
|
||||
+ProtectControlGroups=true
|
||||
+RestrictRealtime=true
|
||||
+NoNewPrivileges=true
|
||||
+
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
--
|
||||
2.47.0
|
||||
|
||||
@ -1,3 +1,9 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 13 08:13:57 UTC 2024 - Nicholas Yang <nicholas.yang@suse.com>
|
||||
|
||||
- Add a patch to harden services with systemd sandboxing:
|
||||
* 0001-harden-services-with-systemd-sandboxing.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 05 14:33:43 UTC 2023 - XLiang@suse.com
|
||||
|
||||
|
||||
@ -8,16 +8,13 @@
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT license). An "Open Source License" is a
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
# Conditionals
|
||||
# Invoke "rpmbuild --without <feature>" or "rpmbuild --with <feature>"
|
||||
# to disable or enable specific features
|
||||
|
||||
%bcond_without runautogen
|
||||
%bcond_without systemd
|
||||
@ -33,6 +30,7 @@ Release: 0%{?gitver}%{?dist}
|
||||
License: BSD-3-Clause
|
||||
URL: https://github.com/corosync/corosync-qdevice
|
||||
Source0: https://github.com/corosync/corosync-qdevice/releases/download/v%{version}%{?gittarver}/%{name}-%{version}%{?gittarver}.tar.gz
|
||||
Patch0: 0001-harden-services-with-systemd-sandboxing.patch
|
||||
|
||||
# Runtime bits
|
||||
Requires: corosync > 2.4.6
|
||||
@ -40,8 +38,8 @@ Requires: corosync-libs > 2.4.6
|
||||
Requires: mozilla-nss-tools
|
||||
|
||||
%if %{with systemd}
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
BuildRequires: systemd-devel
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
Requires(post): systemd
|
||||
Requires(preun): systemd
|
||||
Requires(postun): systemd
|
||||
@ -69,11 +67,13 @@ BuildRequires: nss-devel
|
||||
%endif
|
||||
|
||||
%if %{with runautogen}
|
||||
BuildRequires: autoconf automake libtool
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: libtool
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{version}%{?gittarver}
|
||||
%autosetup -p1 -n %{name}-%{version}%{?gittarver}
|
||||
|
||||
echo %{version} > .tarball-version
|
||||
echo %{version} > .version
|
||||
|
||||
Loading…
Reference in New Issue
Block a user