Accepting request 990376 from home:jsegitz:branches:systemdhardening:GNOME:Factory

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/990376 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/avahi?expand=0&rev=209
2022-12-03 12:16:12 +00:00 · 2022-12-03 12:16:12 +00:00 · 014337f5c0
commit 014337f5c0
parent 780e418927
5 changed files with 59 additions and 6 deletions
--- a/avahi-daemon-check-dns.sh
+++ b/avahi-daemon-check-dns.sh
@ -43,7 +43,7 @@ dns_reachable() {

  # If there is no local nameserver and no we have no global ip addresses
  # then we can't reach any nameservers
-  if ! $(grep -E -q "nameserver 127.0.0.1|::1" /etc/resolv.conf); then 
+  if ! $(egrep -q "nameserver 127.0.0.1|::1" /etc/resolv.conf); then 
    if [ -x "$(which ip)" ]; then
      ADDRS=$(ip addr show scope global | grep inet)
      ROUTES=$(ip route show 0.0.0.0/0)
@ -51,7 +51,7 @@ dns_reachable() {
      # Get addresses of all running interfaces
      ADDRS=$(LC_ALL=C ifconfig | grep ' addr:')
      # Filter out all local addresses
-      ADDRS=$(echo "${ADDRS}" | grep -E -v ':127|Scope:Host|Scope:Link')
+      ADDRS=$(echo "${ADDRS}" | egrep -v ':127|Scope:Host|Scope:Link')
      # Check we have a default route
      ROUTES=$(route -n | grep '^0.0.0.0 ')
    fi
@ -76,7 +76,7 @@ dns_has_local() {
  # Use timeout when calling host as workaround for LP: #1752411
  OUT=`LC_ALL=C timeout 5 host -t soa local. 2>&1`
  if [ $? -eq 0 ] ; then
-    if echo "$OUT" | grep -E -vq 'has no|not found'; then
+    if echo "$OUT" | egrep -vq 'has no|not found'; then
      return 0
    fi
  else 
--- a/avahi.changes
+++ b/avahi.changes
@ -1,8 +1,9 @@
 -------------------------------------------------------------------
-Sun Sep  4 12:19:08 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>
+Wed Jul 20 09:14:05 UTC 2022 - Johannes Segitz <jsegitz@suse.com>

- avahi-daemon-check-dns.sh: convert obsolete egrep call to grep -E
-  (boo#1203092)
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_avahi-daemon.service.patch
+  * harden_avahi-dnsconfd.service.patch

 -------------------------------------------------------------------
 Sat Jul  9 12:30:21 UTC 2022 - Callum Farmer <gmbr3@opensuse.org>
--- a/avahi.spec
+++ b/avahi.spec
@ -105,6 +105,8 @@ Patch25:        0006-man-add-missing-bshell.1-symlink.patch
 Patch26:        0007-Ship-avahi-discover-1-bssh-1-and-bvnc-1-also-for-GTK.patch
 # PATCH-FIX-UPSTREAM 0009-fix-bytestring-decoding-for-proper-display.patch mgorse@suse.com -- fix bytestring decoding for proper display.
 Patch27:        0009-fix-bytestring-decoding-for-proper-display.patch
+Patch28:	harden_avahi-daemon.service.patch
+Patch29:	harden_avahi-dnsconfd.service.patch
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  gdbm-devel
@ -512,6 +514,8 @@ cp -a %{SOURCE12} service-type-database/build-db
 %patch25 -p1
 %patch26 -p1
 %patch27 -p1
+%patch28 -p1
+%patch29 -p1

 %if !%{build_core}
 # Replace all .la references from local .la files to installed versions
--- a/harden_avahi-daemon.service.patch
+++ b/harden_avahi-daemon.service.patch
@ -0,0 +1,24 @@
+Index: avahi-0.8/avahi-daemon/avahi-daemon.service.in
+===================================================================
+--- avahi-0.8.orig/avahi-daemon/avahi-daemon.service.in
+++ avahi-0.8/avahi-daemon/avahi-daemon.service.in
+@@ -20,6 +20,19 @@ Description=Avahi mDNS/DNS-SD Stack
+ Requires=avahi-daemon.socket
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=dbus
+ BusName=org.freedesktop.Avahi
+ ExecStart=@sbindir@/avahi-daemon -s
--- a/harden_avahi-dnsconfd.service.patch
+++ b/harden_avahi-dnsconfd.service.patch
@ -0,0 +1,24 @@
+Index: avahi-0.8/avahi-dnsconfd/avahi-dnsconfd.service.in
+===================================================================
+--- avahi-0.8.orig/avahi-dnsconfd/avahi-dnsconfd.service.in
+++ avahi-0.8/avahi-dnsconfd/avahi-dnsconfd.service.in
+@@ -21,6 +21,19 @@ Requires=avahi-daemon.socket avahi-daemo
+ After=avahi-daemon.socket
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=simple
+ ExecStart=@sbindir@/avahi-dnsconfd -s
+