pool/avahi
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1040260 from GNOME:Factory

Browse Source 
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
  * harden_avahi-daemon.service.patch
  * harden_avahi-dnsconfd.service.patch

  by anything. this makes the spec file slightly more readable.

OBS-URL: https://build.opensuse.org/request/show/1040260
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/avahi?expand=0&rev=154
This commit is contained in:
Dominique Leuenberger 2022-12-07 16:33:45 +00:00 committed by Git OBS Bridge
commit 4cd9d0ffcb
4 changed files with 62 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
avahi.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Dec 5 12:35:55 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_avahi-daemon.service.patch
* harden_avahi-dnsconfd.service.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Sep 4 12:19:08 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> Sun Sep 4 12:19:08 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>
@ -27,7 +34,7 @@ Wed Feb 23 11:13:07 UTC 2022 - Dirk Müller <dmueller@suse.com>
Thu Feb 17 00:03:22 UTC 2022 - Dirk Müller <dmueller@suse.com> Thu Feb 17 00:03:22 UTC 2022 - Dirk Müller <dmueller@suse.com>
- remove avahi-mono* subspecfiles, they are no longer required - remove avahi-mono* subspecfiles, they are no longer required
by anything. this makes the spec file slightly more readable. by anything. this makes the spec file slightly more readable.
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Feb 16 18:26:01 UTC 2022 - Michael Gorse <mgorse@suse.com> Wed Feb 16 18:26:01 UTC 2022 - Michael Gorse <mgorse@suse.com>

7
avahi.spec
View File

@ -105,6 +105,8 @@ Patch25: 0006-man-add-missing-bshell.1-symlink.patch
Patch26: 0007-Ship-avahi-discover-1-bssh-1-and-bvnc-1-also-for-GTK.patch Patch26: 0007-Ship-avahi-discover-1-bssh-1-and-bvnc-1-also-for-GTK.patch
# PATCH-FIX-UPSTREAM 0009-fix-bytestring-decoding-for-proper-display.patch mgorse@suse.com -- fix bytestring decoding for proper display. # PATCH-FIX-UPSTREAM 0009-fix-bytestring-decoding-for-proper-display.patch mgorse@suse.com -- fix bytestring decoding for proper display.
Patch27: 0009-fix-bytestring-decoding-for-proper-display.patch Patch27: 0009-fix-bytestring-decoding-for-proper-display.patch
Patch28: harden_avahi-daemon.service.patch
Patch29: harden_avahi-dnsconfd.service.patch
BuildRequires: fdupes BuildRequires: fdupes
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: gdbm-devel BuildRequires: gdbm-devel
@ -416,8 +418,9 @@ DNS specifications for Zeroconf Computing.
# This is the avahi-discover command, only provided for the primary python3 flavor
# This is the avahi-discover command, only provided for the primary python3 flavor
%package -n python3-avahi-gtk %package -n python3-avahi-gtk
Summary: A set of Avahi utilities written in Python Using python-gtk Summary: A set of Avahi utilities written in Python Using python-gtk
Group: Development/Languages/Python Group: Development/Languages/Python
@ -512,6 +515,8 @@ cp -a %{SOURCE12} service-type-database/build-db
%patch25 -p1 %patch25 -p1
%patch26 -p1 %patch26 -p1
%patch27 -p1 %patch27 -p1
%patch28 -p1
%patch29 -p1
%if !%{build_core} %if !%{build_core}
# Replace all .la references from local .la files to installed versions # Replace all .la references from local .la files to installed versions

24
harden_avahi-daemon.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: avahi-0.8/avahi-daemon/avahi-daemon.service.in
===================================================================
--- avahi-0.8.orig/avahi-daemon/avahi-daemon.service.in
+++ avahi-0.8/avahi-daemon/avahi-daemon.service.in
@@ -20,6 +20,19 @@ Description=Avahi mDNS/DNS-SD Stack
Requires=avahi-daemon.socket
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=dbus
BusName=org.freedesktop.Avahi
ExecStart=@sbindir@/avahi-daemon -s

24
harden_avahi-dnsconfd.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: avahi-0.8/avahi-dnsconfd/avahi-dnsconfd.service.in
===================================================================
--- avahi-0.8.orig/avahi-dnsconfd/avahi-dnsconfd.service.in
+++ avahi-0.8/avahi-dnsconfd/avahi-dnsconfd.service.in
@@ -21,6 +21,19 @@ Requires=avahi-daemon.socket avahi-daemo
After=avahi-daemon.socket
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=simple
ExecStart=@sbindir@/avahi-dnsconfd -s