From 583b912711d987f336175302099c727eb5ad402eaaf3e0b3c2b48d778d064f3a Mon Sep 17 00:00:00 2001 From: Alexandre Vicenzi Date: Thu, 2 Sep 2021 14:38:26 +0000 Subject: [PATCH] Accepting request 914365 from home:jsegitz:branches:systemdhardening:server:http Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/914365 OBS-URL: https://build.opensuse.org/package/show/server:http/caddy?expand=0&rev=5 --- caddy.changes | 6 ++++++ caddy.service | 12 ++++++++++++ caddy.spec | 3 ++- 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/caddy.changes b/caddy.changes index 309eea5..2f752a3 100644 --- a/caddy.changes +++ b/caddy.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Aug 25 13:55:21 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s). Modified: + * caddy.service + ------------------------------------------------------------------- Mon May 24 12:55:21 UTC 2021 - alexandre.vicenzi@suse.com diff --git a/caddy.service b/caddy.service index 18d47b5..c0dd98a 100644 --- a/caddy.service +++ b/caddy.service @@ -14,6 +14,18 @@ LimitNOFILE=1048576 LimitNPROC=512 PrivateTmp=true ProtectSystem=full +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] diff --git a/caddy.spec b/caddy.spec index afd5ab3..8f8bf7b 100644 --- a/caddy.spec +++ b/caddy.spec @@ -15,6 +15,7 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # + %define project github.com/caddyserver/caddy Name: caddy @@ -32,8 +33,8 @@ Source4: index.html Source5: bash-completion Source6: _caddy BuildRequires: golang-packaging -BuildRequires: golang(API) >= 1.15 BuildRequires: systemd-rpm-macros +BuildRequires: golang(API) >= 1.15 %{?systemd_requires} %{go_provides} # Make sure that the binary is not getting stripped.