5bea13db12
* rust: Update to latest standards * totemsrp: Fix orf_token stats * totem: Use uint64_t type and QB_TIME_NS_IN_MSEC * totem: Use proper timestamp type for token warning * stats: Store token rx and tx timestamps as 64-bit * rust: fix clippy warning in rust 1.81 * coroparse: Free kv_item key and value on failure * icmap: Free memory if qb_map_notify_add fails * cfg: Free new_config interfaces on failure * main: support lock pid file arg * man: fix a typo in cpg_model_initialize * man: Improve quorum provider formatting * rust: tests return errors and don't hang * rust: Improve Rust bindings * Move corosync-notifyd policy file into $(datadir)/dbus-1/system.d * man: corosync.conf: Multi improvements * totem: Fix reference links * Report crypto errors back to cfg reload * Fix up the library .versions files * configure: Fix building of rust for release * License: Fix year (mainly to fix rust building) OBS-URL: https://build.opensuse.org/package/show/network:ha-clustering:Factory/corosync?expand=0&rev=202
54 lines
1.5 KiB
Diff
54 lines
1.5 KiB
Diff
From 6d977c3f286a39b7e35c46ad3642a34617bdd833 Mon Sep 17 00:00:00 2001
|
|
From: nicholasyang <nicholas.yang@suse.com>
|
|
Date: Wed, 13 Nov 2024 14:28:53 +0800
|
|
Subject: [PATCH] harden services with systemd sandboxing
|
|
|
|
---
|
|
init/corosync-notifyd.service.in | 10 ++++++++++
|
|
init/corosync.service.in | 10 ++++++++++
|
|
2 files changed, 20 insertions(+)
|
|
|
|
diff --git a/init/corosync-notifyd.service.in b/init/corosync-notifyd.service.in
|
|
index 410a6837..604a2a47 100644
|
|
--- a/init/corosync-notifyd.service.in
|
|
+++ b/init/corosync-notifyd.service.in
|
|
@@ -10,5 +10,15 @@ ExecStart=@SBINDIR@/corosync-notifyd -f $OPTIONS
|
|
Type=notify
|
|
Restart=on-failure
|
|
|
|
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
|
+ProtectSystem=full
|
|
+ProtectHome=true
|
|
+PrivateDevices=true
|
|
+ProtectHostname=true
|
|
+ProtectClock=true
|
|
+ProtectKernelTunables=true
|
|
+ProtectKernelModules=true
|
|
+ProtectKernelLogs=true
|
|
+
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
diff --git a/init/corosync.service.in b/init/corosync.service.in
|
|
index bd2a48a9..63381f47 100644
|
|
--- a/init/corosync.service.in
|
|
+++ b/init/corosync.service.in
|
|
@@ -30,5 +30,15 @@ StandardError=null
|
|
# rewrite according to environment.
|
|
#ExecStartPre=/sbin/modprobe softdog
|
|
|
|
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
|
+ProtectSystem=full
|
|
+ProtectHome=true
|
|
+PrivateDevices=true
|
|
+ProtectHostname=true
|
|
+ProtectClock=true
|
|
+ProtectKernelTunables=true
|
|
+ProtectKernelModules=true
|
|
+ProtectKernelLogs=true
|
|
+
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
--
|
|
2.47.0
|
|
|