diff --git a/0001-harden-services-with-systemd-sandboxing.patch b/0001-harden-services-with-systemd-sandboxing.patch new file mode 100644 index 0000000..d797559 --- /dev/null +++ b/0001-harden-services-with-systemd-sandboxing.patch @@ -0,0 +1,53 @@ +From 6d977c3f286a39b7e35c46ad3642a34617bdd833 Mon Sep 17 00:00:00 2001 +From: nicholasyang +Date: Wed, 13 Nov 2024 14:28:53 +0800 +Subject: [PATCH] harden services with systemd sandboxing + +--- + init/corosync-notifyd.service.in | 10 ++++++++++ + init/corosync.service.in | 10 ++++++++++ + 2 files changed, 20 insertions(+) + +diff --git a/init/corosync-notifyd.service.in b/init/corosync-notifyd.service.in +index 410a6837..604a2a47 100644 +--- a/init/corosync-notifyd.service.in ++++ b/init/corosync-notifyd.service.in +@@ -10,5 +10,15 @@ ExecStart=@SBINDIR@/corosync-notifyd -f $OPTIONS + Type=notify + Restart=on-failure + ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ + [Install] + WantedBy=multi-user.target +diff --git a/init/corosync.service.in b/init/corosync.service.in +index bd2a48a9..63381f47 100644 +--- a/init/corosync.service.in ++++ b/init/corosync.service.in +@@ -30,5 +30,15 @@ StandardError=null + # rewrite according to environment. + #ExecStartPre=/sbin/modprobe softdog + ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ + [Install] + WantedBy=multi-user.target +-- +2.47.0 + diff --git a/_service b/_service index 5facc25..2b01621 100644 --- a/_service +++ b/_service @@ -1,19 +1,19 @@ - + https://github.com/corosync/corosync.git git corosync - 3.1.8+%cd.%h - 40e08b21 + 3.1.9 + v3.1.9 enable - + corosync*.tar gz - + corosync diff --git a/_servicedata b/_servicedata index fc76599..e16819b 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://github.com/corosync/corosync.git - 40e08b219de94f3850f8f39291d89a5713e32f06 \ No newline at end of file + 4e683699b97740562db11f60c744b0f7f61916dd \ No newline at end of file diff --git a/corosync-3.1.8.tar.gz b/corosync-3.1.8.tar.gz deleted file mode 100644 index 4a142ca..0000000 --- a/corosync-3.1.8.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7023544fa3bb36c00bbcabd9935b7269b41d896738a108ed32ea9b9c9b27ec3d -size 1169570 diff --git a/corosync-3.1.9.tar.gz b/corosync-3.1.9.tar.gz new file mode 100644 index 0000000..a190804 --- /dev/null +++ b/corosync-3.1.9.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d6660306e92e1b3fe9ecd707ab56184ef9b292fc5ff6cdd5acc3e502d432b631 +size 502512 diff --git a/corosync.changes b/corosync.changes index 318968d..5a239a7 100644 --- a/corosync.changes +++ b/corosync.changes @@ -1,3 +1,35 @@ +------------------------------------------------------------------- +Mon Nov 18 03:51:09 UTC 2024 - nicholas.yang@suse.com + +- Update to version 3.1.9: + * rust: Update to latest standards + * totemsrp: Fix orf_token stats + * totem: Use uint64_t type and QB_TIME_NS_IN_MSEC + * totem: Use proper timestamp type for token warning + * stats: Store token rx and tx timestamps as 64-bit + * rust: fix clippy warning in rust 1.81 + * coroparse: Free kv_item key and value on failure + * icmap: Free memory if qb_map_notify_add fails + * cfg: Free new_config interfaces on failure + * main: support lock pid file arg + * man: fix a typo in cpg_model_initialize + * man: Improve quorum provider formatting + * rust: tests return errors and don't hang + * rust: Improve Rust bindings + * Move corosync-notifyd policy file into $(datadir)/dbus-1/system.d + * man: corosync.conf: Multi improvements + * totem: Fix reference links + * Report crypto errors back to cfg reload + * Fix up the library .versions files + * configure: Fix building of rust for release + * License: Fix year (mainly to fix rust building) + +------------------------------------------------------------------- +Wed Nov 13 06:48:08 UTC 2024 - Nicholas Yang + +- Add a patch to harden services with systemd sandboxing: + * 0001-harden-services-with-systemd-sandboxing.patch + ------------------------------------------------------------------- Wed May 15 12:18:23 UTC 2024 - Emil Penchev diff --git a/corosync.spec b/corosync.spec index 36d082f..c50dc1e 100644 --- a/corosync.spec +++ b/corosync.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -51,10 +51,11 @@ Name: corosync Summary: The Corosync Cluster Engine and Application Programming Interfaces License: BSD-3-Clause Group: Productivity/Clustering/HA -Version: 3.1.8 -Release: 3 -Url: http://corosync.github.io/corosync/ -Source0: https://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz +Version: 3.1.9 +Release: 0 +URL: http://corosync.github.io/corosync/ +Source0: %{name}-%{version}.tar.gz +Patch0: 0001-harden-services-with-systemd-sandboxing.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build # provide openais on purpose, the package has been deleted. @@ -64,16 +65,16 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: %{name}-libs = %{version}-%{release} # Support crypto reload -Requires: libknet1 >= 1.28 +Requires: libknet1 >= 1.28 # NSS crypto plugin should be always installed -Requires: libknet1-crypto-nss-plugin >= 1.28 +Requires: libknet1-crypto-nss-plugin >= 1.28 # Build bits BuildRequires: gcc BuildRequires: groff-full -BuildRequires: libqb-devel BuildRequires: libknet-devel >= 1.28 +BuildRequires: libqb-devel BuildRequires: zlib-devel %if %{with runautogen} BuildRequires: autoconf @@ -90,11 +91,11 @@ BuildRequires: net-snmp-devel BuildRequires: dbus-1-devel %endif %if %{with nozzle} -BuildRequires: libnozzle-devel +BuildRequires: libnozzle-devel %endif %if %{with systemd} +BuildRequires: systemd-devel BuildRequires: pkgconfig(systemd) -BuildRequires: systemd-devel Requires(post): systemd Requires(preun): systemd Requires(postun): systemd @@ -103,21 +104,21 @@ Requires(postun): systemd Requires: libxslt %endif %if %{with vqsim} -BuildRequires: readline-devel +BuildRequires: readline-devel %endif -Obsoletes: libcfg6 -Obsoletes: libcmap4 -Obsoletes: libcorosync_common4 -Obsoletes: libcpg4 -Obsoletes: libquorum5 -Obsoletes: libsam4 -Obsoletes: libtotem_pg5 -Obsoletes: libvotequorum8 +Obsoletes: libcfg6 +Obsoletes: libcmap4 +Obsoletes: libcorosync_common4 +Obsoletes: libcpg4 +Obsoletes: libquorum5 +Obsoletes: libsam4 +Obsoletes: libtotem_pg5 +Obsoletes: libvotequorum8 BuildRoot: %{_tmppath}/%{name}-%{version}-build %prep -%setup -q -n %{name}-%{version} +%autosetup -p1 -n %{name}-%{version} rm -f .git* echo %{version} > .tarball-version @@ -282,7 +283,7 @@ fi #library # %package libs -Summary: The corosync Cluster Engine Libraries +Summary: The corosync Cluster Engine Libraries %description libs This package contains corosync libraries. @@ -340,9 +341,9 @@ The Corosync Cluster Engine APIs. %if %{with vqsim} %package vqsim -Summary: The Corosync Cluster Engine - Votequorum Simulator -Requires: %{name}-libs = %{version}-%{release} -Requires: pkgconfig +Summary: The Corosync Cluster Engine - Votequorum Simulator +Requires: %{name}-libs = %{version}-%{release} +Requires: pkgconfig %description vqsim A command-line simulator for the corosync votequorum subsystem.