Accepting request 940430 from GNOME:Factory

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort (forwarded request 940297 from jsegitz)

OBS-URL: https://build.opensuse.org/request/show/940430
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/colord?expand=0&rev=85

colord.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Dec 13 16:03:21 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_colord.service.patch
+
 -------------------------------------------------------------------
 Sat Nov 20 15:53:00 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
 

colord.spec

@@ -28,6 +28,7 @@ URL:            https://github.com/hughsie/colord/
 Source0:        https://www.freedesktop.org/software/colord/releases/%{name}-%{version}.tar.xz
 Source1:        https://www.freedesktop.org/software/colord/releases/%{name}-%{version}.tar.xz.asc
 Source2:        %{name}.keyring
+Patch0:	harden_colord.service.patch
 # Apparmor profile
 Source3:        usr.lib.colord
 Source4:        colord.sysusers

harden_colord.service.patch

@@ -0,0 +1,19 @@
+Index: colord-1.4.5/data/colord.service.in
+===================================================================
+--- colord-1.4.5.orig/data/colord.service.in
++++ colord-1.4.5/data/colord.service.in
+@@ -10,3 +10,14 @@ User=@daemon_user@
+ # network namespacing is on.
+ # PrivateNetwork=yes
+ PrivateTmp=yes
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions