Dominique Leuenberger 2021-10-20 18:22:41 +00:00 committed by Git OBS Bridge
commit 8af9741618
5 changed files with 9 additions and 8 deletions

View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Fri Oct 15 12:11:41 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Drop ProtectClock hardening, can cause issues if other device acceess is needed
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Sep 30 14:13:06 UTC 2021 - Jan Kara <jack@suse.cz> Thu Sep 30 14:13:06 UTC 2021 - Jan Kara <jack@suse.cz>

View File

@ -2,14 +2,13 @@ Index: e2fsprogs-1.46.4/scrub/e2scrub@.service.in
=================================================================== ===================================================================
--- e2fsprogs-1.46.4.orig/scrub/e2scrub@.service.in --- e2fsprogs-1.46.4.orig/scrub/e2scrub@.service.in
+++ e2fsprogs-1.46.4/scrub/e2scrub@.service.in +++ e2fsprogs-1.46.4/scrub/e2scrub@.service.in
@@ -10,6 +10,15 @@ PrivateNetwork=true @@ -10,6 +10,14 @@ PrivateNetwork=true
ProtectSystem=true ProtectSystem=true
ProtectHome=read-only ProtectHome=read-only
PrivateTmp=yes PrivateTmp=yes
+# added automatically, for details please see +# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectHostname=true +ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true +ProtectKernelTunables=true
+ProtectKernelLogs=true +ProtectKernelLogs=true
+ProtectControlGroups=true +ProtectControlGroups=true

View File

@ -2,7 +2,7 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_all.service.in
=================================================================== ===================================================================
--- e2fsprogs-1.46.3.orig/scrub/e2scrub_all.service.in --- e2fsprogs-1.46.3.orig/scrub/e2scrub_all.service.in
+++ e2fsprogs-1.46.3/scrub/e2scrub_all.service.in +++ e2fsprogs-1.46.3/scrub/e2scrub_all.service.in
@@ -6,6 +6,18 @@ ConditionCapability=CAP_SYS_RAWIO @@ -6,6 +6,17 @@ ConditionCapability=CAP_SYS_RAWIO
Documentation=man:e2scrub_all(8) Documentation=man:e2scrub_all(8)
[Service] [Service]
@ -11,7 +11,6 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_all.service.in
+ProtectSystem=full +ProtectSystem=full
+ProtectHome=true +ProtectHome=true
+ProtectHostname=true +ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true +ProtectKernelTunables=true
+ProtectKernelModules=true +ProtectKernelModules=true
+ProtectKernelLogs=true +ProtectKernelLogs=true

View File

@ -2,7 +2,7 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in
=================================================================== ===================================================================
--- e2fsprogs-1.46.3.orig/scrub/e2scrub_fail@.service.in --- e2fsprogs-1.46.3.orig/scrub/e2scrub_fail@.service.in
+++ e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in +++ e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in
@@ -3,6 +3,18 @@ Description=Online ext4 Metadata Check F @@ -3,6 +3,17 @@ Description=Online ext4 Metadata Check F
Documentation=man:e2scrub(8) Documentation=man:e2scrub(8)
[Service] [Service]
@ -11,7 +11,6 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in
+ProtectSystem=full +ProtectSystem=full
+ProtectHome=true +ProtectHome=true
+ProtectHostname=true +ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true +ProtectKernelTunables=true
+ProtectKernelModules=true +ProtectKernelModules=true
+ProtectKernelLogs=true +ProtectKernelLogs=true

View File

@ -2,14 +2,13 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_reap.service.in
=================================================================== ===================================================================
--- e2fsprogs-1.46.3.orig/scrub/e2scrub_reap.service.in --- e2fsprogs-1.46.3.orig/scrub/e2scrub_reap.service.in
+++ e2fsprogs-1.46.3/scrub/e2scrub_reap.service.in +++ e2fsprogs-1.46.3/scrub/e2scrub_reap.service.in
@@ -11,6 +11,16 @@ PrivateNetwork=true @@ -11,6 +11,15 @@ PrivateNetwork=true
ProtectSystem=true ProtectSystem=true
ProtectHome=read-only ProtectHome=read-only
PrivateTmp=yes PrivateTmp=yes
+# added automatically, for details please see +# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectHostname=true +ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true +ProtectKernelTunables=true
+ProtectKernelModules=true +ProtectKernelModules=true
+ProtectKernelLogs=true +ProtectKernelLogs=true