From a94c383238ff678e181a270850751ae7e3537e46f5e90a5179dd8e8decd44665 Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Sat, 4 Sep 2021 15:06:47 +0000 Subject: [PATCH] Accepting request 915264 from home:jsegitz:branches:systemdhardening:network:time Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/915264 OBS-URL: https://build.opensuse.org/package/show/network:time/chrony?expand=0&rev=104 --- chrony.changes | 7 +++++++ chrony.spec | 4 ++++ harden_chrony-wait.service.patch | 24 ++++++++++++++++++++++++ harden_chronyd.service.patch | 20 ++++++++++++++++++++ 4 files changed, 55 insertions(+) create mode 100644 harden_chrony-wait.service.patch create mode 100644 harden_chronyd.service.patch diff --git a/chrony.changes b/chrony.changes index d9137d0..2f69890 100644 --- a/chrony.changes +++ b/chrony.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Aug 30 13:50:07 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s). Added patch(es): + * harden_chrony-wait.service.patch + * harden_chronyd.service.patch + ------------------------------------------------------------------- Thu Jul 1 12:38:13 UTC 2021 - Reinhard Max diff --git a/chrony.spec b/chrony.spec index 7d06103..4c6f632 100644 --- a/chrony.spec +++ b/chrony.spec @@ -55,6 +55,8 @@ Patch1: chrony-service-helper.patch Patch2: chrony-logrotate.patch Patch3: chrony-service-ordering.patch Patch4: chrony-refid-internal-md5.patch +Patch5: harden_chrony-wait.service.patch +Patch6: harden_chronyd.service.patch BuildRequires: NetworkManager-devel BuildRequires: bison BuildRequires: gcc-c++ @@ -155,6 +157,8 @@ sed -e 's-@CHRONY_HELPER@-%{chrony_helper}-g' -i %{PATCH1} %{SOURCE3} %{SOURCE5} %patch2 -p1 %patch3 %patch4 +%patch5 -p1 +%patch6 -p1 # Remove pool statements from the default /etc/chrony.conf. They will # be provided by branding packages in /etc/chrony.d/pool.conf . diff --git a/harden_chrony-wait.service.patch b/harden_chrony-wait.service.patch new file mode 100644 index 0000000..5d103d7 --- /dev/null +++ b/harden_chrony-wait.service.patch @@ -0,0 +1,24 @@ +Index: chrony-4.1/examples/chrony-wait.service +=================================================================== +--- chrony-4.1.orig/examples/chrony-wait.service ++++ chrony-4.1/examples/chrony-wait.service +@@ -7,6 +7,19 @@ Before=time-sync.target + Wants=time-sync.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=oneshot + # Wait for chronyd to update the clock and the remaining + # correction to be less than 0.1 seconds diff --git a/harden_chronyd.service.patch b/harden_chronyd.service.patch new file mode 100644 index 0000000..c026810 --- /dev/null +++ b/harden_chronyd.service.patch @@ -0,0 +1,20 @@ +Index: chrony-4.1/examples/chronyd.service +=================================================================== +--- chrony-4.1.orig/examples/chronyd.service ++++ chrony-4.1/examples/chronyd.service +@@ -17,6 +17,15 @@ ExecStart=/usr/sbin/chronyd $OPTIONS + PrivateTmp=yes + ProtectHome=yes + ProtectSystem=full ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++PrivateDevices=true ++ProtectHostname=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++DeviceAllow=char-rtc ++# end of automatic additions + + [Install] + WantedBy=multi-user.target