Sync from SUSE:SLFO:Main corosync revision 691ee92e590b83953d36d7c62f4f0743

0001-harden-services-with-systemd-sandboxing.patch

@@ -0,0 +1,53 @@
+From 6d977c3f286a39b7e35c46ad3642a34617bdd833 Mon Sep 17 00:00:00 2001
+From: nicholasyang <nicholas.yang@suse.com>
+Date: Wed, 13 Nov 2024 14:28:53 +0800
+Subject: [PATCH] harden services with systemd sandboxing
+
+---
+ init/corosync-notifyd.service.in | 10 ++++++++++
+ init/corosync.service.in         | 10 ++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/init/corosync-notifyd.service.in b/init/corosync-notifyd.service.in
+index 410a6837..604a2a47 100644
+--- a/init/corosync-notifyd.service.in
++++ b/init/corosync-notifyd.service.in
+@@ -10,5 +10,15 @@ ExecStart=@SBINDIR@/corosync-notifyd -f $OPTIONS
+ Type=notify
+ Restart=on-failure
+ 
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++
+ [Install]
+ WantedBy=multi-user.target
+diff --git a/init/corosync.service.in b/init/corosync.service.in
+index bd2a48a9..63381f47 100644
+--- a/init/corosync.service.in
++++ b/init/corosync.service.in
+@@ -30,5 +30,15 @@ StandardError=null
+ #  rewrite according to environment.
+ #ExecStartPre=/sbin/modprobe softdog
+ 
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++
+ [Install]
+ WantedBy=multi-user.target
+-- 
+2.47.0
+

_service

@@ -1,19 +1,19 @@
 <services>
-  <service name="tar_scm" mode="disabled">
+  <service name="tar_scm" mode="manual">
     <param name="url">https://github.com/corosync/corosync.git</param>
     <param name="scm">git</param>
     <param name="filename">corosync</param>
-    <param name="versionformat">3.1.8+%cd.%h</param>
-    <param name="revision">40e08b21</param>
+    <param name="versionformat">3.1.9</param>
+    <param name="revision">v3.1.9</param>
     <param name="changesgenerate">enable</param>
   </service>
 
-  <service name="recompress" mode="disabled">
+  <service name="recompress" mode="manual">
     <param name="file">corosync*.tar</param>
     <param name="compression">gz</param>
   </service>
 
-  <service name="set_version" mode="disabled">
+  <service name="set_version" mode="manual">
     <param name="basename">corosync</param>
   </service>
 </services>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/corosync/corosync.git</param>
-              <param name="changesrevision">40e08b219de94f3850f8f39291d89a5713e32f06</param></service></servicedata>
+              <param name="changesrevision">4e683699b97740562db11f60c744b0f7f61916dd</param></service></servicedata>

corosync.changes

@@ -1,3 +1,35 @@
+-------------------------------------------------------------------
+Mon Nov 18 03:51:09 UTC 2024 - nicholas.yang@suse.com
+
+- Update to version 3.1.9:
+  * rust: Update to latest standards
+  * totemsrp: Fix orf_token stats
+  * totem: Use uint64_t type and QB_TIME_NS_IN_MSEC
+  * totem: Use proper timestamp type for token warning
+  * stats: Store token rx and tx timestamps as 64-bit
+  * rust: fix clippy warning in rust 1.81
+  * coroparse: Free kv_item key and value on failure
+  * icmap: Free memory if qb_map_notify_add fails
+  * cfg: Free new_config interfaces on failure
+  * main: support lock pid file arg
+  * man: fix a typo in cpg_model_initialize
+  * man: Improve quorum provider formatting
+  * rust: tests return errors and don't hang
+  * rust: Improve Rust bindings
+  * Move corosync-notifyd policy file into $(datadir)/dbus-1/system.d
+  * man: corosync.conf: Multi improvements
+  * totem: Fix reference links
+  * Report crypto errors back to cfg reload
+  * Fix up the library .versions files
+  * configure: Fix building of rust for release
+  * License: Fix year (mainly to fix rust building)
+
+-------------------------------------------------------------------
+Wed Nov 13 06:48:08 UTC 2024 - Nicholas Yang <nicholas.yang@suse.com>
+
+- Add a patch to harden services with systemd sandboxing:
+  * 0001-harden-services-with-systemd-sandboxing.patch
+
 -------------------------------------------------------------------
 Wed May 15 12:18:23 UTC 2024 - Emil Penchev <emil.penchev@suse.com>
 

corosync.spec

@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -51,10 +51,11 @@ Name:           corosync
 Summary:        The Corosync Cluster Engine and Application Programming Interfaces
 License:        BSD-3-Clause
 Group:          Productivity/Clustering/HA
-Version:        3.1.8
-Release:        3
-Url:            http://corosync.github.io/corosync/
-Source0:        https://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz
+Version:        3.1.9
+Release:        0
+URL:            http://corosync.github.io/corosync/
+Source0:        %{name}-%{version}.tar.gz
+Patch0:         0001-harden-services-with-systemd-sandboxing.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 # provide openais on purpose, the package has been deleted.
@@ -64,16 +65,16 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Requires:       %{name}-libs = %{version}-%{release}
 
 # Support crypto reload
-Requires: libknet1 >= 1.28
+Requires:       libknet1 >= 1.28
 # NSS crypto plugin should be always installed
-Requires: libknet1-crypto-nss-plugin >= 1.28
+Requires:       libknet1-crypto-nss-plugin >= 1.28
 
 # Build bits
 BuildRequires:  gcc
 
 BuildRequires:  groff-full
-BuildRequires:  libqb-devel
 BuildRequires:  libknet-devel >= 1.28
+BuildRequires:  libqb-devel
 BuildRequires:  zlib-devel
 %if %{with runautogen}
 BuildRequires:  autoconf
@@ -90,11 +91,11 @@ BuildRequires:  net-snmp-devel
 BuildRequires:  dbus-1-devel
 %endif
 %if %{with nozzle}
-BuildRequires: libnozzle-devel
+BuildRequires:  libnozzle-devel
 %endif
 %if %{with systemd}
+BuildRequires:  systemd-devel
 BuildRequires:  pkgconfig(systemd)
-BuildRequires:	systemd-devel
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
@@ -103,21 +104,21 @@ Requires(postun): systemd
 Requires:       libxslt
 %endif
 %if %{with vqsim}
-BuildRequires: readline-devel
+BuildRequires:  readline-devel
 %endif
-Obsoletes: libcfg6
-Obsoletes: libcmap4
-Obsoletes: libcorosync_common4
-Obsoletes: libcpg4
-Obsoletes: libquorum5
-Obsoletes: libsam4
-Obsoletes: libtotem_pg5
-Obsoletes: libvotequorum8
+Obsoletes:      libcfg6
+Obsoletes:      libcmap4
+Obsoletes:      libcorosync_common4
+Obsoletes:      libcpg4
+Obsoletes:      libquorum5
+Obsoletes:      libsam4
+Obsoletes:      libtotem_pg5
+Obsoletes:      libvotequorum8
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %prep
-%setup -q -n %{name}-%{version}
+%autosetup -p1 -n %{name}-%{version}
 
 rm -f .git*
 echo %{version} > .tarball-version
@@ -282,7 +283,7 @@ fi
 #library
 #
 %package libs
-Summary: The corosync Cluster Engine Libraries
+Summary:        The corosync Cluster Engine Libraries
 
 %description libs
 This package contains corosync libraries.
@@ -340,9 +341,9 @@ The Corosync Cluster Engine APIs.
 
 %if %{with vqsim}
 %package vqsim
-Summary: The Corosync Cluster Engine - Votequorum Simulator
-Requires: %{name}-libs = %{version}-%{release}
-Requires: pkgconfig
+Summary:        The Corosync Cluster Engine - Votequorum Simulator
+Requires:       %{name}-libs = %{version}-%{release}
+Requires:       pkgconfig
 
 %description vqsim
 A command-line simulator for the corosync votequorum subsystem.