From 78f374424e84df1f1624a229b39463700ae9b306 Mon Sep 17 00:00:00 2001
From: OBS User jankara <null@suse.de>
Date: Wed, 15 Sep 2021 09:02:50 +0000
Subject: [PATCH 1/2] Automatic systemd hardening effort by the security team.
 This has not been tested. For details please see
 https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

Rev filesystems/142 Md5 69bd64fbc6d1446b0f1394269a3eaf63 2021-09-15 09:02:50 jankara 918932
---
 e2fsprogs.changes                  |  9 +++++++++
 e2fsprogs.spec                     |  8 ++++++++
 harden_e2scrub@.service.patch      | 21 +++++++++++++++++++++
 harden_e2scrub_all.service.patch   | 23 +++++++++++++++++++++++
 harden_e2scrub_fail@.service.patch | 23 +++++++++++++++++++++++
 harden_e2scrub_reap.service.patch  | 21 +++++++++++++++++++++
 6 files changed, 105 insertions(+)
 create mode 100644 harden_e2scrub@.service.patch
 create mode 100644 harden_e2scrub_all.service.patch
 create mode 100644 harden_e2scrub_fail@.service.patch
 create mode 100644 harden_e2scrub_reap.service.patch

diff --git a/e2fsprogs.changes b/e2fsprogs.changes
index 4d79f49..e12418a 100644
--- a/e2fsprogs.changes
+++ b/e2fsprogs.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Sep 14 07:03:07 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_e2scrub@.service.patch
+  * harden_e2scrub_all.service.patch
+  * harden_e2scrub_fail@.service.patch
+  * harden_e2scrub_reap.service.patch
+
 -------------------------------------------------------------------
 Mon Aug  2 20:47:09 UTC 2021 - Jan Kara <jack@suse.cz>
 
diff --git a/e2fsprogs.spec b/e2fsprogs.spec
index 7aefcf2..a640da7 100644
--- a/e2fsprogs.spec
+++ b/e2fsprogs.spec
@@ -89,6 +89,10 @@ Source5:        https://thunk.org/tytso/tytso-key.asc#/%{name}.keyring
 Patch3:         libcom_err-compile_et_permissions.patch
 Patch4:         e2fsprogs-1.42-implicit_fortify_decl.patch
 Patch5:         e2fsprogs-1.42-ext2fsh_implicit.patch
+Patch6:	harden_e2scrub@.service.patch
+Patch7:	harden_e2scrub_all.service.patch
+Patch8:	harden_e2scrub_fail@.service.patch
+Patch9:	harden_e2scrub_reap.service.patch
 # Do not suppress make commands
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
@@ -253,6 +257,10 @@ Development files for the com_err error message display library. Static librarie
 %patch4
 %patch5
 cp %{SOURCE2} .
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
 
 %build
 %global _lto_cflags %{_lto_cflags} -ffat-lto-objects
diff --git a/harden_e2scrub@.service.patch b/harden_e2scrub@.service.patch
new file mode 100644
index 0000000..5a4c82c
--- /dev/null
+++ b/harden_e2scrub@.service.patch
@@ -0,0 +1,21 @@
+Index: e2fsprogs-1.46.3/scrub/e2scrub@.service.in
+===================================================================
+--- e2fsprogs-1.46.3.orig/scrub/e2scrub@.service.in
++++ e2fsprogs-1.46.3/scrub/e2scrub@.service.in
+@@ -10,6 +10,16 @@ PrivateNetwork=true
+ ProtectSystem=true
+ ProtectHome=read-only
+ PrivateTmp=yes
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_RAWIO
+ NoNewPrivileges=yes
+ User=root
diff --git a/harden_e2scrub_all.service.patch b/harden_e2scrub_all.service.patch
new file mode 100644
index 0000000..fbcd365
--- /dev/null
+++ b/harden_e2scrub_all.service.patch
@@ -0,0 +1,23 @@
+Index: e2fsprogs-1.46.3/scrub/e2scrub_all.service.in
+===================================================================
+--- e2fsprogs-1.46.3.orig/scrub/e2scrub_all.service.in
++++ e2fsprogs-1.46.3/scrub/e2scrub_all.service.in
+@@ -6,6 +6,18 @@ ConditionCapability=CAP_SYS_RAWIO
+ Documentation=man:e2scrub_all(8)
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Type=oneshot
+ Environment=SERVICE_MODE=1
+ ExecStart=@root_sbindir@/e2scrub_all
diff --git a/harden_e2scrub_fail@.service.patch b/harden_e2scrub_fail@.service.patch
new file mode 100644
index 0000000..d8c2d2d
--- /dev/null
+++ b/harden_e2scrub_fail@.service.patch
@@ -0,0 +1,23 @@
+Index: e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in
+===================================================================
+--- e2fsprogs-1.46.3.orig/scrub/e2scrub_fail@.service.in
++++ e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in
+@@ -3,6 +3,18 @@ Description=Online ext4 Metadata Check F
+ Documentation=man:e2scrub(8)
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Type=oneshot
+ ExecStart=@pkglibdir@/e2scrub_fail "%I"
+ User=mail
diff --git a/harden_e2scrub_reap.service.patch b/harden_e2scrub_reap.service.patch
new file mode 100644
index 0000000..8491e15
--- /dev/null
+++ b/harden_e2scrub_reap.service.patch
@@ -0,0 +1,21 @@
+Index: e2fsprogs-1.46.3/scrub/e2scrub_reap.service.in
+===================================================================
+--- e2fsprogs-1.46.3.orig/scrub/e2scrub_reap.service.in
++++ e2fsprogs-1.46.3/scrub/e2scrub_reap.service.in
+@@ -11,6 +11,16 @@ PrivateNetwork=true
+ ProtectSystem=true
+ ProtectHome=read-only
+ PrivateTmp=yes
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_RAWIO
+ NoNewPrivileges=yes
+ User=root

From b8781ffe6c468bd8943ea018eb1841c0d65db97d Mon Sep 17 00:00:00 2001
From: OBS User jankara <null@suse.de>
Date: Fri, 17 Sep 2021 16:27:04 +0000
Subject: [PATCH 2/2] - Update to 1.46.4:   * Default to 256-byte inodes for
 all filesystems, not only larger ones   * Bigalloc is considered supported
 now for small cluster sizes   * E2fsck and e2image fixes for quota feature  
 * Fix mke2fs creation of filesystem into non-existent file -
 libss-add-newer-libreadline.so.8-to-dlopen-path.patch: libss: add newer  
 libreadline.so.8 to dlopen path (bsc#1189453)

Rev filesystems/143 Md5 69640eb8914151807bf629226ae87303 2021-09-17 16:27:04 jankara 919834
---
 e2fsprogs-1.46.3.tar.sign                     | Bin 310 -> 0 bytes
 e2fsprogs-1.46.3.tar.xz                       |   3 --
 e2fsprogs-1.46.4.tar.sign                     | Bin 0 -> 310 bytes
 e2fsprogs-1.46.4.tar.xz                       |   3 ++
 e2fsprogs.changes                             |  11 +++++++
 e2fsprogs.spec                                |  12 +++++---
 harden_e2scrub@.service.patch                 |   9 +++---
 ...ewer-libreadline.so.8-to-dlopen-path.patch |  29 ++++++++++++++++++
 8 files changed, 54 insertions(+), 13 deletions(-)
 delete mode 100644 e2fsprogs-1.46.3.tar.sign
 delete mode 100644 e2fsprogs-1.46.3.tar.xz
 create mode 100644 e2fsprogs-1.46.4.tar.sign
 create mode 100644 e2fsprogs-1.46.4.tar.xz
 create mode 100644 libss-add-newer-libreadline.so.8-to-dlopen-path.patch

diff --git a/e2fsprogs-1.46.3.tar.sign b/e2fsprogs-1.46.3.tar.sign
deleted file mode 100644
index 2525f6ea7b7615b72e6cbca587b21ae86e70717f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 310
zcmV-60m=S}0W$;u0SEvc79j*HX}MI}{s?&}fj7zW`B_$#4S}Nt0$~79Yyb)g5c2t1
zR+SBbqlhsF|3nX2anFo>i1@}xDV<boEv>-517t6O<e$}VS*r15I#M*3bGk$?e&T!a
zt8{RJUq$<xN6?f^u8u6PkP(XzI%z`Hj5RVSK8W0al=VsPn7l(qbEl{K461dP^q*)2
zSq7}QuKumS@kZ^{xPI=Rb*fymkHZ(4O@mv#6a9fQq!$pT>!eHg9^EiG&RrY~XWKVt
zMRb@H#IUv@<Bv!#+X8_$<-it&KLjR8GZPZ<g{A2hImLY^Jd=vWd7Gk)L-*LqQj7uc
zK(7>H;wEHX`C7Xy_oTROe;PIk{9+u!M~3I_njB;OtAr^=1%KV=ia#pk#H7;k1z$-1
IHvT6K-9N~Y;{X5v

diff --git a/e2fsprogs-1.46.3.tar.xz b/e2fsprogs-1.46.3.tar.xz
deleted file mode 100644
index b9ea3f4..0000000
--- a/e2fsprogs-1.46.3.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:86d1580facdd49f2e0e6b027e26b1e6c48af538762dc40aeed2a87153c1f11b7
-size 7024896
diff --git a/e2fsprogs-1.46.4.tar.sign b/e2fsprogs-1.46.4.tar.sign
new file mode 100644
index 0000000000000000000000000000000000000000..caa40af8562d1dabde1ddfd19095e146acc65742
GIT binary patch
literal 310
zcmV-60m=S}0W$;u0SEvc79j*HX}MI}{s?&}fj7zW`B_$#4S}Nt0%0Diz5ogd5c2t1
zR+SBbqoRxl`viW{)*r<JF(g}yd1^Fo_&4r1DwsH1euUip?@P!axh-&vD0mJ{FJ1+C
zY-;l)l3q>hqoXd~iYiX<U06ZU3~I?*ZnVH{(~Nn=3^PeysHaN<HyYqCf)IJD7nyop
zQAX{!F@Ysh${Js=!gyszHA?O|TLpTeGnNtR+N<@~)n<bhU+Ei*OlC_><OJ<g+1pFM
zJ4p;_co-f(fdL*B@1G9rPsqhpWiz{-I&K64V%It6ZtEnk*CWG3XXLj_>FRkaaQ-4;
zSxNW~`x?fF+d1HW>Loz<F+d=^Uz{1_gf*-YA(TS(QoA4Mz>8Iw=i_fnB<}ZIa6=RP
I{o|#<9q@FFM*si-

literal 0
HcmV?d00001

diff --git a/e2fsprogs-1.46.4.tar.xz b/e2fsprogs-1.46.4.tar.xz
new file mode 100644
index 0000000..34468e8
--- /dev/null
+++ b/e2fsprogs-1.46.4.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b11042533c1b1dcf17512f0da48e05b0c573dada1dd8b762864d10f4dc399713
+size 7035200
diff --git a/e2fsprogs.changes b/e2fsprogs.changes
index e12418a..05558dc 100644
--- a/e2fsprogs.changes
+++ b/e2fsprogs.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Wed Sep 15 09:16:54 UTC 2021 - Jan Kara <jack@suse.cz>
+
+- Update to 1.46.4:
+  * Default to 256-byte inodes for all filesystems, not only larger ones
+  * Bigalloc is considered supported now for small cluster sizes
+  * E2fsck and e2image fixes for quota feature
+  * Fix mke2fs creation of filesystem into non-existent file
+- libss-add-newer-libreadline.so.8-to-dlopen-path.patch: libss: add newer
+  libreadline.so.8 to dlopen path (bsc#1189453)
+
 -------------------------------------------------------------------
 Tue Sep 14 07:03:07 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 
diff --git a/e2fsprogs.spec b/e2fsprogs.spec
index a640da7..5996599 100644
--- a/e2fsprogs.spec
+++ b/e2fsprogs.spec
@@ -66,7 +66,7 @@ Conflicts:      libcom_err2-mini
 Conflicts:      libcom_err-mini-devel
 %endif
 #
-Version:        1.46.3
+Version:        1.46.4
 Release:        0
 Summary:        Utilities for the Second Extended File System
 License:        GPL-2.0-only
@@ -89,10 +89,11 @@ Source5:        https://thunk.org/tytso/tytso-key.asc#/%{name}.keyring
 Patch3:         libcom_err-compile_et_permissions.patch
 Patch4:         e2fsprogs-1.42-implicit_fortify_decl.patch
 Patch5:         e2fsprogs-1.42-ext2fsh_implicit.patch
-Patch6:	harden_e2scrub@.service.patch
-Patch7:	harden_e2scrub_all.service.patch
-Patch8:	harden_e2scrub_fail@.service.patch
-Patch9:	harden_e2scrub_reap.service.patch
+Patch6:         harden_e2scrub@.service.patch
+Patch7:         harden_e2scrub_all.service.patch
+Patch8:         harden_e2scrub_fail@.service.patch
+Patch9:         harden_e2scrub_reap.service.patch
+Patch10:        libss-add-newer-libreadline.so.8-to-dlopen-path.patch
 # Do not suppress make commands
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
@@ -261,6 +262,7 @@ cp %{SOURCE2} .
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
 
 %build
 %global _lto_cflags %{_lto_cflags} -ffat-lto-objects
diff --git a/harden_e2scrub@.service.patch b/harden_e2scrub@.service.patch
index 5a4c82c..8913583 100644
--- a/harden_e2scrub@.service.patch
+++ b/harden_e2scrub@.service.patch
@@ -1,8 +1,8 @@
-Index: e2fsprogs-1.46.3/scrub/e2scrub@.service.in
+Index: e2fsprogs-1.46.4/scrub/e2scrub@.service.in
 ===================================================================
---- e2fsprogs-1.46.3.orig/scrub/e2scrub@.service.in
-+++ e2fsprogs-1.46.3/scrub/e2scrub@.service.in
-@@ -10,6 +10,16 @@ PrivateNetwork=true
+--- e2fsprogs-1.46.4.orig/scrub/e2scrub@.service.in
++++ e2fsprogs-1.46.4/scrub/e2scrub@.service.in
+@@ -10,6 +10,15 @@ PrivateNetwork=true
  ProtectSystem=true
  ProtectHome=read-only
  PrivateTmp=yes
@@ -11,7 +11,6 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub@.service.in
 +ProtectHostname=true
 +ProtectClock=true
 +ProtectKernelTunables=true
-+ProtectKernelModules=true
 +ProtectKernelLogs=true
 +ProtectControlGroups=true
 +RestrictRealtime=true
diff --git a/libss-add-newer-libreadline.so.8-to-dlopen-path.patch b/libss-add-newer-libreadline.so.8-to-dlopen-path.patch
new file mode 100644
index 0000000..ae20e63
--- /dev/null
+++ b/libss-add-newer-libreadline.so.8-to-dlopen-path.patch
@@ -0,0 +1,29 @@
+From 0a60ee129b9137a9a5cd49c4dd15247830a7f319 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 20 Aug 2021 18:12:04 +0200
+Subject: [PATCH] libss: add newer libreadline.so.8 to dlopen path
+
+OpenSUSE Tumbleweed now has libreadline.so.8. Add it to the list of libs
+to look for.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+---
+ lib/ss/get_readline.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ss/get_readline.c b/lib/ss/get_readline.c
+index 11c72b3387d1..aa1615747934 100644
+--- a/lib/ss/get_readline.c
++++ b/lib/ss/get_readline.c
+@@ -37,7 +37,7 @@ static void ss_release_readline(ss_data *info)
+ #endif
+ 
+ /* Libraries we will try to use for readline/editline functionality */
+-#define DEFAULT_LIBPATH "libreadline.so.7:libreadline.so.6:libreadline.so.5:libreadline.so.4:libreadline.so:libedit.so.2:libedit.so:libeditline.so.0:libeditline.so"
++#define DEFAULT_LIBPATH "libreadline.so.8:libreadline.so.7:libreadline.so.6:libreadline.so.5:libreadline.so.4:libreadline.so:libedit.so.2:libedit.so:libeditline.so.0:libeditline.so"
+ 
+ #ifdef HAVE_DLOPEN
+ void ss_get_readline(int sci_idx)
+-- 
+2.26.2
+