Sync from SUSE:SLFO:Main corosync-qdevice revision 646b7048f17314a09aa88ad1fec2a3d4

2024-12-20 16:03:10 +01:00 · 2024-12-20 16:03:10 +01:00 · a09dcbde21
commit a09dcbde21
parent a646f630bf
3 changed files with 91 additions and 29 deletions
--- a/0001-harden-services-with-systemd-sandboxing.patch
+++ b/0001-harden-services-with-systemd-sandboxing.patch
@ -0,0 +1,56 @@
+From f7b8fd41b82ef11933f2d2b0e8f54192dfbcfa18 Mon Sep 17 00:00:00 2001
+From: nicholasyang <nicholas.yang@suse.com>
+Date: Wed, 13 Nov 2024 16:11:10 +0800
+Subject: [PATCH] harden services with systemd sandboxing
+
+---
+ init/corosync-qdevice.service.in | 10 ++++++++++
+ init/corosync-qnetd.service.in   | 13 +++++++++++++
+ 2 files changed, 23 insertions(+)
+
+diff --git a/init/corosync-qdevice.service.in b/init/corosync-qdevice.service.in
+index 5ffb498..824e557 100644
+--- a/init/corosync-qdevice.service.in
+++ b/init/corosync-qdevice.service.in
+@@ -14,5 +14,15 @@ Restart=on-failure
+ RuntimeDirectory=corosync-qdevice
+ RuntimeDirectoryMode=0770
+ 
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+
+ [Install]
+ WantedBy=multi-user.target
+diff --git a/init/corosync-qnetd.service.in b/init/corosync-qnetd.service.in
+index a8d6a7e..64da610 100644
+--- a/init/corosync-qnetd.service.in
+++ b/init/corosync-qnetd.service.in
+@@ -16,5 +16,18 @@ Restart=on-abnormal
+ RuntimeDirectory=corosync-qnetd
+ RuntimeDirectoryMode=0770
+ 
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=strict
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+NoNewPrivileges=true
+
+ [Install]
+ WantedBy=multi-user.target
+-- 
+2.47.0
+
--- a/corosync-qdevice.changes
+++ b/corosync-qdevice.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Nov 13 08:13:57 UTC 2024 - Nicholas Yang <nicholas.yang@suse.com>
+
+- Add a patch to harden services with systemd sandboxing:
+  * 0001-harden-services-with-systemd-sandboxing.patch
+
 -------------------------------------------------------------------
 Wed Apr 05 14:33:43 UTC 2023 - XLiang@suse.com

--- a/corosync-qdevice.spec
+++ b/corosync-qdevice.spec
@ -8,16 +8,13 @@
 # upon. The license for this file, and modifications and additions to the
 # file, is the same license as for the pristine package itself (unless the
 # license for the pristine package is not an Open Source License, in which
-# case the license is the MIT license). An "Open Source License" is a
+# case the license is the MIT License). An "Open Source License" is a
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.

-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #

-# Conditionals
-# Invoke "rpmbuild --without <feature>" or "rpmbuild --with <feature>"
-# to disable or enable specific features

 %bcond_without runautogen
 %bcond_without systemd
@ -26,22 +23,23 @@
 %global gittarver %{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}}
 %define _unpackaged_files_terminate_build 0

-Name:    corosync-qdevice
-Summary: The Corosync Cluster Engine Qdevice
-Version: 3.0.3
-Release: 0%{?gitver}%{?dist}
-License: BSD-3-Clause
-URL:     https://github.com/corosync/corosync-qdevice
-Source0: https://github.com/corosync/corosync-qdevice/releases/download/v%{version}%{?gittarver}/%{name}-%{version}%{?gittarver}.tar.gz
+Name:           corosync-qdevice
+Summary:        The Corosync Cluster Engine Qdevice
+Version:        3.0.3
+Release:        0%{?gitver}%{?dist}
+License:        BSD-3-Clause
+URL:            https://github.com/corosync/corosync-qdevice
+Source0:        https://github.com/corosync/corosync-qdevice/releases/download/v%{version}%{?gittarver}/%{name}-%{version}%{?gittarver}.tar.gz
+Patch0:         0001-harden-services-with-systemd-sandboxing.patch

 # Runtime bits
-Requires: corosync > 2.4.6
-Requires: corosync-libs > 2.4.6
-Requires: mozilla-nss-tools
+Requires:       corosync > 2.4.6
+Requires:       corosync-libs > 2.4.6
+Requires:       mozilla-nss-tools

 %if %{with systemd}
-BuildRequires: pkgconfig(systemd)
 BuildRequires:  systemd-devel
+BuildRequires:  pkgconfig(systemd)
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
@ -51,29 +49,31 @@ Requires(preun): /sbin/chkconfig
 %endif

 # Build bits
-BuildRequires: gcc
-BuildRequires: corosync-devel > 2.4.6
-BuildRequires: libqb-devel
-BuildRequires: sed
+BuildRequires:  gcc
+BuildRequires:  corosync-devel > 2.4.6
+BuildRequires:  libqb-devel
+BuildRequires:  sed

 %if 0%{?suse_version}
-BuildRequires: groff-full
+BuildRequires:  groff-full
 %else
-BuildRequires: groff
+BuildRequires:  groff
 %endif

 %if 0%{?suse_version}
-BuildRequires: mozilla-nss-devel
+BuildRequires:  mozilla-nss-devel
 %else
-BuildRequires: nss-devel
+BuildRequires:  nss-devel
 %endif

 %if %{with runautogen}
-BuildRequires: autoconf automake libtool
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libtool
 %endif

 %prep
-%setup -q -n %{name}-%{version}%{?gittarver}
+%autosetup -p1 -n %{name}-%{version}%{?gittarver}

 echo %{version} > .tarball-version
 echo %{version} > .version
@ -172,10 +172,10 @@ fi
 %{_mandir}/man8/corosync-qdevice.8*

 %package -n corosync-qnetd
-Summary: The Corosync Cluster Engine Qdevice Network Daemon
+Summary:        The Corosync Cluster Engine Qdevice Network Daemon
 Group:          System/Base
-Requires: mozilla-nss-tools
-Requires(pre): shadow
+Requires:       mozilla-nss-tools
+Requires(pre):  shadow
 Requires(pre):  /usr/sbin/useradd
 Provides:       group(coroqnetd)
 Provides:       user(coroqnetd)