Accepting request 1040260 from GNOME:Factory

- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): * harden_avahi-daemon.service.patch * harden_avahi-dnsconfd.service.patch by anything. this makes the spec file slightly more readable. OBS-URL: https://build.opensuse.org/request/show/1040260 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/avahi?expand=0&rev=154
2022-12-07 16:33:45 +00:00 · 2022-12-07 16:33:45 +00:00 · 4cd9d0ffcb
commit 4cd9d0ffcb
parent 0a90ee8ecf 0b0c1ce0bf
4 changed files with 62 additions and 2 deletions
--- a/avahi.changes
+++ b/avahi.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Dec  5 12:35:55 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_avahi-daemon.service.patch
+  * harden_avahi-dnsconfd.service.patch
+
 -------------------------------------------------------------------
 Sun Sep  4 12:19:08 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>

@ -27,7 +34,7 @@ Wed Feb 23 11:13:07 UTC 2022 - Dirk Müller <dmueller@suse.com>
 Thu Feb 17 00:03:22 UTC 2022 - Dirk Müller <dmueller@suse.com>

 - remove avahi-mono* subspecfiles, they are no longer required
-  by anything. this makes the spec file slightly more readable. 
+  by anything. this makes the spec file slightly more readable.

 -------------------------------------------------------------------
 Wed Feb 16 18:26:01 UTC 2022 - Michael Gorse <mgorse@suse.com>
--- a/avahi.spec
+++ b/avahi.spec
@ -105,6 +105,8 @@ Patch25:        0006-man-add-missing-bshell.1-symlink.patch
 Patch26:        0007-Ship-avahi-discover-1-bssh-1-and-bvnc-1-also-for-GTK.patch
 # PATCH-FIX-UPSTREAM 0009-fix-bytestring-decoding-for-proper-display.patch mgorse@suse.com -- fix bytestring decoding for proper display.
 Patch27:        0009-fix-bytestring-decoding-for-proper-display.patch
+Patch28:        harden_avahi-daemon.service.patch
+Patch29:        harden_avahi-dnsconfd.service.patch
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  gdbm-devel
@ -416,8 +418,9 @@ DNS specifications for Zeroconf Computing.



-# This is the avahi-discover command, only provided for the primary python3 flavor

+
+# This is the avahi-discover command, only provided for the primary python3 flavor
 %package -n python3-avahi-gtk
 Summary:        A set of Avahi utilities written in Python Using python-gtk
 Group:          Development/Languages/Python
@ -512,6 +515,8 @@ cp -a %{SOURCE12} service-type-database/build-db
 %patch25 -p1
 %patch26 -p1
 %patch27 -p1
+%patch28 -p1
+%patch29 -p1

 %if !%{build_core}
 # Replace all .la references from local .la files to installed versions
--- a/harden_avahi-daemon.service.patch
+++ b/harden_avahi-daemon.service.patch
@ -0,0 +1,24 @@
+Index: avahi-0.8/avahi-daemon/avahi-daemon.service.in
+===================================================================
+--- avahi-0.8.orig/avahi-daemon/avahi-daemon.service.in
+++ avahi-0.8/avahi-daemon/avahi-daemon.service.in
+@@ -20,6 +20,19 @@ Description=Avahi mDNS/DNS-SD Stack
+ Requires=avahi-daemon.socket
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=dbus
+ BusName=org.freedesktop.Avahi
+ ExecStart=@sbindir@/avahi-daemon -s
--- a/harden_avahi-dnsconfd.service.patch
+++ b/harden_avahi-dnsconfd.service.patch
@ -0,0 +1,24 @@
+Index: avahi-0.8/avahi-dnsconfd/avahi-dnsconfd.service.in
+===================================================================
+--- avahi-0.8.orig/avahi-dnsconfd/avahi-dnsconfd.service.in
+++ avahi-0.8/avahi-dnsconfd/avahi-dnsconfd.service.in
+@@ -21,6 +21,19 @@ Requires=avahi-daemon.socket avahi-daemo
+ After=avahi-daemon.socket
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=simple
+ ExecStart=@sbindir@/avahi-dnsconfd -s
+