diff --git a/colord.changes b/colord.changes index 52844b1..966deee 100644 --- a/colord.changes +++ b/colord.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Dec 13 16:03:21 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_colord.service.patch + ------------------------------------------------------------------- Sat Nov 20 15:53:00 UTC 2021 - Callum Farmer diff --git a/colord.spec b/colord.spec index 2f7e8df..b04f514 100644 --- a/colord.spec +++ b/colord.spec @@ -28,6 +28,7 @@ URL: https://github.com/hughsie/colord/ Source0: https://www.freedesktop.org/software/colord/releases/%{name}-%{version}.tar.xz Source1: https://www.freedesktop.org/software/colord/releases/%{name}-%{version}.tar.xz.asc Source2: %{name}.keyring +Patch0: harden_colord.service.patch # Apparmor profile Source3: usr.lib.colord Source4: colord.sysusers diff --git a/harden_colord.service.patch b/harden_colord.service.patch new file mode 100644 index 0000000..2029123 --- /dev/null +++ b/harden_colord.service.patch @@ -0,0 +1,19 @@ +Index: colord-1.4.5/data/colord.service.in +=================================================================== +--- colord-1.4.5.orig/data/colord.service.in ++++ colord-1.4.5/data/colord.service.in +@@ -10,3 +10,14 @@ User=@daemon_user@ + # network namespacing is on. + # PrivateNetwork=yes + PrivateTmp=yes ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions