Sync from SUSE:SLFO:Main corosync revision 691ee92e590b83953d36d7c62f4f0743

This commit is contained in:
Adrian Schröter 2024-12-18 16:12:29 +01:00
parent b25f971f90
commit 7fe1129452
7 changed files with 119 additions and 33 deletions

View File

@ -0,0 +1,53 @@
From 6d977c3f286a39b7e35c46ad3642a34617bdd833 Mon Sep 17 00:00:00 2001
From: nicholasyang <nicholas.yang@suse.com>
Date: Wed, 13 Nov 2024 14:28:53 +0800
Subject: [PATCH] harden services with systemd sandboxing
---
init/corosync-notifyd.service.in | 10 ++++++++++
init/corosync.service.in | 10 ++++++++++
2 files changed, 20 insertions(+)
diff --git a/init/corosync-notifyd.service.in b/init/corosync-notifyd.service.in
index 410a6837..604a2a47 100644
--- a/init/corosync-notifyd.service.in
+++ b/init/corosync-notifyd.service.in
@@ -10,5 +10,15 @@ ExecStart=@SBINDIR@/corosync-notifyd -f $OPTIONS
Type=notify
Restart=on-failure
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+
[Install]
WantedBy=multi-user.target
diff --git a/init/corosync.service.in b/init/corosync.service.in
index bd2a48a9..63381f47 100644
--- a/init/corosync.service.in
+++ b/init/corosync.service.in
@@ -30,5 +30,15 @@ StandardError=null
# rewrite according to environment.
#ExecStartPre=/sbin/modprobe softdog
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+
[Install]
WantedBy=multi-user.target
--
2.47.0

View File

@ -1,19 +1,19 @@
<services> <services>
<service name="tar_scm" mode="disabled"> <service name="tar_scm" mode="manual">
<param name="url">https://github.com/corosync/corosync.git</param> <param name="url">https://github.com/corosync/corosync.git</param>
<param name="scm">git</param> <param name="scm">git</param>
<param name="filename">corosync</param> <param name="filename">corosync</param>
<param name="versionformat">3.1.8+%cd.%h</param> <param name="versionformat">3.1.9</param>
<param name="revision">40e08b21</param> <param name="revision">v3.1.9</param>
<param name="changesgenerate">enable</param> <param name="changesgenerate">enable</param>
</service> </service>
<service name="recompress" mode="disabled"> <service name="recompress" mode="manual">
<param name="file">corosync*.tar</param> <param name="file">corosync*.tar</param>
<param name="compression">gz</param> <param name="compression">gz</param>
</service> </service>
<service name="set_version" mode="disabled"> <service name="set_version" mode="manual">
<param name="basename">corosync</param> <param name="basename">corosync</param>
</service> </service>
</services> </services>

View File

@ -1,4 +1,4 @@
<servicedata> <servicedata>
<service name="tar_scm"> <service name="tar_scm">
<param name="url">https://github.com/corosync/corosync.git</param> <param name="url">https://github.com/corosync/corosync.git</param>
<param name="changesrevision">40e08b219de94f3850f8f39291d89a5713e32f06</param></service></servicedata> <param name="changesrevision">4e683699b97740562db11f60c744b0f7f61916dd</param></service></servicedata>

BIN
corosync-3.1.8.tar.gz (Stored with Git LFS)

Binary file not shown.

BIN
corosync-3.1.9.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

View File

@ -1,3 +1,35 @@
-------------------------------------------------------------------
Mon Nov 18 03:51:09 UTC 2024 - nicholas.yang@suse.com
- Update to version 3.1.9:
* rust: Update to latest standards
* totemsrp: Fix orf_token stats
* totem: Use uint64_t type and QB_TIME_NS_IN_MSEC
* totem: Use proper timestamp type for token warning
* stats: Store token rx and tx timestamps as 64-bit
* rust: fix clippy warning in rust 1.81
* coroparse: Free kv_item key and value on failure
* icmap: Free memory if qb_map_notify_add fails
* cfg: Free new_config interfaces on failure
* main: support lock pid file arg
* man: fix a typo in cpg_model_initialize
* man: Improve quorum provider formatting
* rust: tests return errors and don't hang
* rust: Improve Rust bindings
* Move corosync-notifyd policy file into $(datadir)/dbus-1/system.d
* man: corosync.conf: Multi improvements
* totem: Fix reference links
* Report crypto errors back to cfg reload
* Fix up the library .versions files
* configure: Fix building of rust for release
* License: Fix year (mainly to fix rust building)
-------------------------------------------------------------------
Wed Nov 13 06:48:08 UTC 2024 - Nicholas Yang <nicholas.yang@suse.com>
- Add a patch to harden services with systemd sandboxing:
* 0001-harden-services-with-systemd-sandboxing.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed May 15 12:18:23 UTC 2024 - Emil Penchev <emil.penchev@suse.com> Wed May 15 12:18:23 UTC 2024 - Emil Penchev <emil.penchev@suse.com>

View File

@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9) # license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative. # published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/ # Please submit bugfixes or comments via https://bugs.opensuse.org/
# #
@ -51,10 +51,11 @@ Name: corosync
Summary: The Corosync Cluster Engine and Application Programming Interfaces Summary: The Corosync Cluster Engine and Application Programming Interfaces
License: BSD-3-Clause License: BSD-3-Clause
Group: Productivity/Clustering/HA Group: Productivity/Clustering/HA
Version: 3.1.8 Version: 3.1.9
Release: 3 Release: 0
Url: http://corosync.github.io/corosync/ URL: http://corosync.github.io/corosync/
Source0: https://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz Source0: %{name}-%{version}.tar.gz
Patch0: 0001-harden-services-with-systemd-sandboxing.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
# provide openais on purpose, the package has been deleted. # provide openais on purpose, the package has been deleted.
@ -72,8 +73,8 @@ Requires: libknet1-crypto-nss-plugin >= 1.28
BuildRequires: gcc BuildRequires: gcc
BuildRequires: groff-full BuildRequires: groff-full
BuildRequires: libqb-devel
BuildRequires: libknet-devel >= 1.28 BuildRequires: libknet-devel >= 1.28
BuildRequires: libqb-devel
BuildRequires: zlib-devel BuildRequires: zlib-devel
%if %{with runautogen} %if %{with runautogen}
BuildRequires: autoconf BuildRequires: autoconf
@ -93,8 +94,8 @@ BuildRequires: dbus-1-devel
BuildRequires: libnozzle-devel BuildRequires: libnozzle-devel
%endif %endif
%if %{with systemd} %if %{with systemd}
BuildRequires: pkgconfig(systemd)
BuildRequires: systemd-devel BuildRequires: systemd-devel
BuildRequires: pkgconfig(systemd)
Requires(post): systemd Requires(post): systemd
Requires(preun): systemd Requires(preun): systemd
Requires(postun): systemd Requires(postun): systemd
@ -117,7 +118,7 @@ Obsoletes: libvotequorum8
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%prep %prep
%setup -q -n %{name}-%{version} %autosetup -p1 -n %{name}-%{version}
rm -f .git* rm -f .git*
echo %{version} > .tarball-version echo %{version} > .tarball-version