Accepting request 911446 from home:jsegitz:branches:systemdhardening:Base:System

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/911446 OBS-URL: https://build.opensuse.org/package/show/Base:System/at?expand=0&rev=118
2021-10-16 09:51:35 +00:00 · 2021-10-16 09:51:35 +00:00 · 0ec42e07fe
commit 0ec42e07fe
parent 7ed79c5b73
4 changed files with 46 additions and 0 deletions
--- a/at.changes
+++ b/at.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Aug 11 08:25:16 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s). Added patch(es):
+  * harden_atd.service.patch
+  Modified:
+  * atd.service
+
 -------------------------------------------------------------------
 Fri Jul 16 09:09:26 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>

--- a/at.spec
+++ b/at.spec
@ -58,6 +58,7 @@ Patch27:        at-3.1.14-usePOSIXtimers.patch
 Patch28:        at-adjust_load_to_cpu_count.patch
 # PATCH-FIX-UPSTREAM bnc#945124 kstreitova@suse.com -- don't loop on corrupt files and prevent their creation
 Patch29:        at-3.1.16-handle_malformed_jobs.patch
+Patch30:        harden_atd.service.patch
 BuildRequires:  autoconf >= 2.69
 BuildRequires:  automake
 BuildRequires:  bison
--- a/atd.service
+++ b/atd.service
@ -3,6 +3,19 @@ Description=Deferred execution scheduler
 After=nss-user-lookup.target time-sync.target

 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 ExecStart=/usr/sbin/atd -f

 [Install]
--- a/harden_atd.service.patch
+++ b/harden_atd.service.patch
@ -0,0 +1,24 @@
+Index: at-3.2.2/atd.service.in
+===================================================================
+--- at-3.2.2.orig/atd.service.in
+++ at-3.2.2/atd.service.in
+@@ -4,6 +4,19 @@ Documentation=man:atd(8)
+ After=remote-fs.target nss-user-lookup.target
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ ExecStartPre=-find @atjobdir@ -type f -name "=*" -not -newercc /run/systemd -delete
+ ExecStart=@sbindir@/atd -f
+ IgnoreSIGPIPE=false