diff --git a/cups.changes b/cups.changes index 11f11d2..bfebe04 100644 --- a/cups.changes +++ b/cups.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Oct 15 07:31:10 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_cups.service.patch + ------------------------------------------------------------------- Mon Jun 7 13:23:25 CEST 2021 - jsmeix@suse.de diff --git a/cups.spec b/cups.spec index 35e4785..f804a31 100644 --- a/cups.spec +++ b/cups.spec @@ -85,6 +85,7 @@ Patch103: cups-1.4-do_not_strip_recommended_from_PPDs.patch Patch104: cups-config-libs.patch # Patch106 Fixes web UI Kerberos authentication (bsc#1175960) Patch106: fix-negotiate-authentication-between-CGIs-and-scheduler.patch +Patch107: harden_cups.service.patch # Build Requirements: BuildRequires: dbus-1-devel BuildRequires: fdupes @@ -309,6 +310,7 @@ printer drivers for CUPS. %patch104 -b cups-config-libs.orig # Patch106 Fixes web UI Kerberos authentication (bsc#1175960) %patch106 -p1 +%patch107 -p1 %build # Remove ".SILENT" rule for verbose build output diff --git a/harden_cups.service.patch b/harden_cups.service.patch new file mode 100644 index 0000000..2c63daa --- /dev/null +++ b/harden_cups.service.patch @@ -0,0 +1,22 @@ +Index: cups-2.3.3op2/scheduler/cups.service.in +=================================================================== +--- cups-2.3.3op2.orig/scheduler/cups.service.in ++++ cups-2.3.3op2/scheduler/cups.service.in +@@ -5,6 +5,17 @@ After=network.target sssd.service ypbind + Requires=cups.socket + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + ExecStart=@sbindir@/cupsd -l + Type=notify + Restart=on-failure