pool/avahi
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 990376 from home:jsegitz:branches:systemdhardening:GNOME:Factory

Browse Source 
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/990376
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/avahi?expand=0&rev=209
This commit is contained in:
Dominique Leuenberger 2022-12-03 12:16:12 +00:00 committed by Git OBS Bridge
parent 780e418927
commit 014337f5c0
5 changed files with 59 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
avahi-daemon-check-dns.sh
View File

@ -43,7 +43,7 @@ dns_reachable() {
# If there is no local nameserver and no we have no global ip addresses # If there is no local nameserver and no we have no global ip addresses
# then we can't reach any nameservers # then we can't reach any nameservers
if ! $(grep -E -q "nameserver 127.0.0.1|::1" /etc/resolv.conf); then if ! $(egrep -q "nameserver 127.0.0.1|::1" /etc/resolv.conf); then
if [ -x "$(which ip)" ]; then if [ -x "$(which ip)" ]; then
ADDRS=$(ip addr show scope global | grep inet) ADDRS=$(ip addr show scope global | grep inet)
ROUTES=$(ip route show 0.0.0.0/0) ROUTES=$(ip route show 0.0.0.0/0)
@ -51,7 +51,7 @@ dns_reachable() {
# Get addresses of all running interfaces # Get addresses of all running interfaces
ADDRS=$(LC_ALL=C ifconfig | grep ' addr:') ADDRS=$(LC_ALL=C ifconfig | grep ' addr:')
# Filter out all local addresses # Filter out all local addresses
ADDRS=$(echo "${ADDRS}" | grep -E -v ':127|Scope:Host|Scope:Link') ADDRS=$(echo "${ADDRS}" | egrep -v ':127|Scope:Host|Scope:Link')
# Check we have a default route # Check we have a default route
ROUTES=$(route -n | grep '^0.0.0.0 ') ROUTES=$(route -n | grep '^0.0.0.0 ')
fi fi
@ -76,7 +76,7 @@ dns_has_local() {
# Use timeout when calling host as workaround for LP: #1752411 # Use timeout when calling host as workaround for LP: #1752411
OUT=`LC_ALL=C timeout 5 host -t soa local. 2>&1` OUT=`LC_ALL=C timeout 5 host -t soa local. 2>&1`
if [ $? -eq 0 ] ; then if [ $? -eq 0 ] ; then
if echo "$OUT" | grep -E -vq 'has no|not found'; then if echo "$OUT" | egrep -vq 'has no|not found'; then
return 0 return 0
fi fi
else else

7
avahi.changes
View File

@ -1,8 +1,9 @@
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Sep 4 12:19:08 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> Wed Jul 20 09:14:05 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- avahi-daemon-check-dns.sh: convert obsolete egrep call to grep -E - Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
(boo#1203092) * harden_avahi-daemon.service.patch
* harden_avahi-dnsconfd.service.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Jul 9 12:30:21 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> Sat Jul 9 12:30:21 UTC 2022 - Callum Farmer <gmbr3@opensuse.org>

4
avahi.spec
View File

@ -105,6 +105,8 @@ Patch25: 0006-man-add-missing-bshell.1-symlink.patch
Patch26: 0007-Ship-avahi-discover-1-bssh-1-and-bvnc-1-also-for-GTK.patch Patch26: 0007-Ship-avahi-discover-1-bssh-1-and-bvnc-1-also-for-GTK.patch
# PATCH-FIX-UPSTREAM 0009-fix-bytestring-decoding-for-proper-display.patch mgorse@suse.com -- fix bytestring decoding for proper display. # PATCH-FIX-UPSTREAM 0009-fix-bytestring-decoding-for-proper-display.patch mgorse@suse.com -- fix bytestring decoding for proper display.
Patch27: 0009-fix-bytestring-decoding-for-proper-display.patch Patch27: 0009-fix-bytestring-decoding-for-proper-display.patch
Patch28: harden_avahi-daemon.service.patch
Patch29: harden_avahi-dnsconfd.service.patch
BuildRequires: fdupes BuildRequires: fdupes
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: gdbm-devel BuildRequires: gdbm-devel
@ -512,6 +514,8 @@ cp -a %{SOURCE12} service-type-database/build-db
%patch25 -p1 %patch25 -p1
%patch26 -p1 %patch26 -p1
%patch27 -p1 %patch27 -p1
%patch28 -p1
%patch29 -p1
%if !%{build_core} %if !%{build_core}
# Replace all .la references from local .la files to installed versions # Replace all .la references from local .la files to installed versions

24
harden_avahi-daemon.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: avahi-0.8/avahi-daemon/avahi-daemon.service.in
===================================================================
--- avahi-0.8.orig/avahi-daemon/avahi-daemon.service.in
+++ avahi-0.8/avahi-daemon/avahi-daemon.service.in
@@ -20,6 +20,19 @@ Description=Avahi mDNS/DNS-SD Stack
Requires=avahi-daemon.socket
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=dbus
BusName=org.freedesktop.Avahi
ExecStart=@sbindir@/avahi-daemon -s

24
harden_avahi-dnsconfd.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: avahi-0.8/avahi-dnsconfd/avahi-dnsconfd.service.in
===================================================================
--- avahi-0.8.orig/avahi-dnsconfd/avahi-dnsconfd.service.in
+++ avahi-0.8/avahi-dnsconfd/avahi-dnsconfd.service.in
@@ -21,6 +21,19 @@ Requires=avahi-daemon.socket avahi-daemo
After=avahi-daemon.socket
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=simple
ExecStart=@sbindir@/avahi-dnsconfd -s