Accepting request 914365 from home:jsegitz:branches:systemdhardening:server:http

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/914365
OBS-URL: https://build.opensuse.org/package/show/server:http/caddy?expand=0&rev=5
This commit is contained in:
Alexandre Vicenzi 2021-09-02 14:38:26 +00:00 committed by Git OBS Bridge
parent dca65c36eb
commit 583b912711
3 changed files with 20 additions and 1 deletions

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Wed Aug 25 13:55:21 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s). Modified:
* caddy.service
------------------------------------------------------------------- -------------------------------------------------------------------
Mon May 24 12:55:21 UTC 2021 - alexandre.vicenzi@suse.com Mon May 24 12:55:21 UTC 2021 - alexandre.vicenzi@suse.com

View File

@ -14,6 +14,18 @@ LimitNOFILE=1048576
LimitNPROC=512 LimitNPROC=512
PrivateTmp=true PrivateTmp=true
ProtectSystem=full ProtectSystem=full
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectHome=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
AmbientCapabilities=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install] [Install]

View File

@ -15,6 +15,7 @@
# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Please submit bugfixes or comments via https://bugs.opensuse.org/
# #
%define project github.com/caddyserver/caddy %define project github.com/caddyserver/caddy
Name: caddy Name: caddy
@ -32,8 +33,8 @@ Source4: index.html
Source5: bash-completion Source5: bash-completion
Source6: _caddy Source6: _caddy
BuildRequires: golang-packaging BuildRequires: golang-packaging
BuildRequires: golang(API) >= 1.15
BuildRequires: systemd-rpm-macros BuildRequires: systemd-rpm-macros
BuildRequires: golang(API) >= 1.15
%{?systemd_requires} %{?systemd_requires}
%{go_provides} %{go_provides}
# Make sure that the binary is not getting stripped. # Make sure that the binary is not getting stripped.