Accepting request 913679 from GNOME:Factory

- Spec layout cleaning up for harden_accounts-daemon.service.patch. (forwarded request 910817 from yfjiang) OBS-URL: https://build.opensuse.org/request/show/913679 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/accountsservice?expand=0&rev=72
2021-08-25 18:56:10 +00:00
parent bce6185f6e b7bd8903f1
commit da64b3a706
3 changed files with 35 additions and 0 deletions
--- a/accountsservice.changes
+++ b/accountsservice.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Mon Aug  9 09:36:20 UTC 2021 - Yifan Jiang <yfjiang@suse.com>
+
+- Spec layout cleaning up for harden_accounts-daemon.service.patch.
+
+-------------------------------------------------------------------
+Tue Jul 27 11:53:56 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s). Added patch(es):
+  * harden_accounts-daemon.service.patch
+
 -------------------------------------------------------------------
 Tue Mar  2 21:05:33 UTC 2021 - Antoine Belvire <antoine.belvire@opensuse.org>

--- a/accountsservice.spec
+++ b/accountsservice.spec
@@ -36,6 +36,8 @@ Patch2:         accountsservice-read-root-user-cache.patch
 Patch3:         accountsservice-wtmp-io-improvements.patch
 # PATCH-FIX-UPSTREAM accountsservice-fix-gdm-crash.patch glfo#accountsservice/accountsservice#55 antoine.belvire@opensuse.org -- Prevent gdm crash upon service restart when autologin is enabled
 Patch4:         accountsservice-fix-gdm-crash.patch
+# PATCH-FIX-OPENSUSE harden_accounts-daemon.service.patch jsegitz@suse.com -- For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+Patch5:         harden_accounts-daemon.service.patch

 ## SLE and Leap only patches start at 1000
 # PATCH-FEATURE-SLE as-fate318433-prevent-same-account-multi-logins.patch fate#318433 cxiong@suse.com -- prevent multiple simultaneous login.
@@ -103,6 +105,7 @@ querying and manipulating user account information.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1

 # SLE and Leap patches start at 1000
 %if 0%{?sle_version}
--- a/harden_accounts-daemon.service.patch
+++ b/harden_accounts-daemon.service.patch
@@ -0,0 +1,21 @@
+Index: accountsservice-0.6.55/data/accounts-daemon.service.in
+===================================================================
+--- accountsservice-0.6.55.orig/data/accounts-daemon.service.in
+++ accountsservice-0.6.55/data/accounts-daemon.service.in
+@@ -8,6 +8,16 @@ After=nss-user-lookup.target
+ Wants=nss-user-lookup.target
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ Type=dbus
+ BusName=org.freedesktop.Accounts
+ ExecStart=@libexecdir@/accounts-daemon