diff --git a/e2fsprogs-1.46.3.tar.sign b/e2fsprogs-1.46.3.tar.sign deleted file mode 100644 index 2525f6e..0000000 Binary files a/e2fsprogs-1.46.3.tar.sign and /dev/null differ diff --git a/e2fsprogs-1.46.3.tar.xz b/e2fsprogs-1.46.3.tar.xz deleted file mode 100644 index b9ea3f4..0000000 --- a/e2fsprogs-1.46.3.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:86d1580facdd49f2e0e6b027e26b1e6c48af538762dc40aeed2a87153c1f11b7 -size 7024896 diff --git a/e2fsprogs-1.46.4.tar.sign b/e2fsprogs-1.46.4.tar.sign new file mode 100644 index 0000000..caa40af Binary files /dev/null and b/e2fsprogs-1.46.4.tar.sign differ diff --git a/e2fsprogs-1.46.4.tar.xz b/e2fsprogs-1.46.4.tar.xz new file mode 100644 index 0000000..34468e8 --- /dev/null +++ b/e2fsprogs-1.46.4.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b11042533c1b1dcf17512f0da48e05b0c573dada1dd8b762864d10f4dc399713 +size 7035200 diff --git a/e2fsprogs.changes b/e2fsprogs.changes index 4d79f49..05558dc 100644 --- a/e2fsprogs.changes +++ b/e2fsprogs.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Wed Sep 15 09:16:54 UTC 2021 - Jan Kara + +- Update to 1.46.4: + * Default to 256-byte inodes for all filesystems, not only larger ones + * Bigalloc is considered supported now for small cluster sizes + * E2fsck and e2image fixes for quota feature + * Fix mke2fs creation of filesystem into non-existent file +- libss-add-newer-libreadline.so.8-to-dlopen-path.patch: libss: add newer + libreadline.so.8 to dlopen path (bsc#1189453) + +------------------------------------------------------------------- +Tue Sep 14 07:03:07 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_e2scrub@.service.patch + * harden_e2scrub_all.service.patch + * harden_e2scrub_fail@.service.patch + * harden_e2scrub_reap.service.patch + ------------------------------------------------------------------- Mon Aug 2 20:47:09 UTC 2021 - Jan Kara diff --git a/e2fsprogs.spec b/e2fsprogs.spec index 7aefcf2..5996599 100644 --- a/e2fsprogs.spec +++ b/e2fsprogs.spec @@ -66,7 +66,7 @@ Conflicts: libcom_err2-mini Conflicts: libcom_err-mini-devel %endif # -Version: 1.46.3 +Version: 1.46.4 Release: 0 Summary: Utilities for the Second Extended File System License: GPL-2.0-only @@ -89,6 +89,11 @@ Source5: https://thunk.org/tytso/tytso-key.asc#/%{name}.keyring Patch3: libcom_err-compile_et_permissions.patch Patch4: e2fsprogs-1.42-implicit_fortify_decl.patch Patch5: e2fsprogs-1.42-ext2fsh_implicit.patch +Patch6: harden_e2scrub@.service.patch +Patch7: harden_e2scrub_all.service.patch +Patch8: harden_e2scrub_fail@.service.patch +Patch9: harden_e2scrub_reap.service.patch +Patch10: libss-add-newer-libreadline.so.8-to-dlopen-path.patch # Do not suppress make commands BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -253,6 +258,11 @@ Development files for the com_err error message display library. Static librarie %patch4 %patch5 cp %{SOURCE2} . +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 %build %global _lto_cflags %{_lto_cflags} -ffat-lto-objects diff --git a/harden_e2scrub@.service.patch b/harden_e2scrub@.service.patch new file mode 100644 index 0000000..8913583 --- /dev/null +++ b/harden_e2scrub@.service.patch @@ -0,0 +1,20 @@ +Index: e2fsprogs-1.46.4/scrub/e2scrub@.service.in +=================================================================== +--- e2fsprogs-1.46.4.orig/scrub/e2scrub@.service.in ++++ e2fsprogs-1.46.4/scrub/e2scrub@.service.in +@@ -10,6 +10,15 @@ PrivateNetwork=true + ProtectSystem=true + ProtectHome=read-only + PrivateTmp=yes ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_RAWIO + NoNewPrivileges=yes + User=root diff --git a/harden_e2scrub_all.service.patch b/harden_e2scrub_all.service.patch new file mode 100644 index 0000000..fbcd365 --- /dev/null +++ b/harden_e2scrub_all.service.patch @@ -0,0 +1,23 @@ +Index: e2fsprogs-1.46.3/scrub/e2scrub_all.service.in +=================================================================== +--- e2fsprogs-1.46.3.orig/scrub/e2scrub_all.service.in ++++ e2fsprogs-1.46.3/scrub/e2scrub_all.service.in +@@ -6,6 +6,18 @@ ConditionCapability=CAP_SYS_RAWIO + Documentation=man:e2scrub_all(8) + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=oneshot + Environment=SERVICE_MODE=1 + ExecStart=@root_sbindir@/e2scrub_all diff --git a/harden_e2scrub_fail@.service.patch b/harden_e2scrub_fail@.service.patch new file mode 100644 index 0000000..d8c2d2d --- /dev/null +++ b/harden_e2scrub_fail@.service.patch @@ -0,0 +1,23 @@ +Index: e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in +=================================================================== +--- e2fsprogs-1.46.3.orig/scrub/e2scrub_fail@.service.in ++++ e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in +@@ -3,6 +3,18 @@ Description=Online ext4 Metadata Check F + Documentation=man:e2scrub(8) + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=oneshot + ExecStart=@pkglibdir@/e2scrub_fail "%I" + User=mail diff --git a/harden_e2scrub_reap.service.patch b/harden_e2scrub_reap.service.patch new file mode 100644 index 0000000..8491e15 --- /dev/null +++ b/harden_e2scrub_reap.service.patch @@ -0,0 +1,21 @@ +Index: e2fsprogs-1.46.3/scrub/e2scrub_reap.service.in +=================================================================== +--- e2fsprogs-1.46.3.orig/scrub/e2scrub_reap.service.in ++++ e2fsprogs-1.46.3/scrub/e2scrub_reap.service.in +@@ -11,6 +11,16 @@ PrivateNetwork=true + ProtectSystem=true + ProtectHome=read-only + PrivateTmp=yes ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_RAWIO + NoNewPrivileges=yes + User=root diff --git a/libss-add-newer-libreadline.so.8-to-dlopen-path.patch b/libss-add-newer-libreadline.so.8-to-dlopen-path.patch new file mode 100644 index 0000000..ae20e63 --- /dev/null +++ b/libss-add-newer-libreadline.so.8-to-dlopen-path.patch @@ -0,0 +1,29 @@ +From 0a60ee129b9137a9a5cd49c4dd15247830a7f319 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 20 Aug 2021 18:12:04 +0200 +Subject: [PATCH] libss: add newer libreadline.so.8 to dlopen path + +OpenSUSE Tumbleweed now has libreadline.so.8. Add it to the list of libs +to look for. + +Signed-off-by: Jan Kara +--- + lib/ss/get_readline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/ss/get_readline.c b/lib/ss/get_readline.c +index 11c72b3387d1..aa1615747934 100644 +--- a/lib/ss/get_readline.c ++++ b/lib/ss/get_readline.c +@@ -37,7 +37,7 @@ static void ss_release_readline(ss_data *info) + #endif + + /* Libraries we will try to use for readline/editline functionality */ +-#define DEFAULT_LIBPATH "libreadline.so.7:libreadline.so.6:libreadline.so.5:libreadline.so.4:libreadline.so:libedit.so.2:libedit.so:libeditline.so.0:libeditline.so" ++#define DEFAULT_LIBPATH "libreadline.so.8:libreadline.so.7:libreadline.so.6:libreadline.so.5:libreadline.so.4:libreadline.so:libedit.so.2:libedit.so:libeditline.so.0:libeditline.so" + + #ifdef HAVE_DLOPEN + void ss_get_readline(int sci_idx) +-- +2.26.2 +