From 8115a427eafa0554a369aae7cf5bb94c269d4db4406f69d6b598addf4b198a93 Mon Sep 17 00:00:00 2001 From: Hillwood Yang Date: Tue, 14 Sep 2021 02:42:19 +0000 Subject: [PATCH] Accepting request 917954 from home:jsegitz:branches:systemdhardening:X11:Deepin Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/917954 OBS-URL: https://build.opensuse.org/package/show/X11:Deepin/deepin-daemon?expand=0&rev=17 --- deepin-daemon.changes | 7 ++++ deepin-daemon.spec | 39 +++++++++++---------- harden_deepin-accounts-daemon.service.patch | 24 +++++++++++++ harden_hwclock_stop.service.patch | 23 ++++++++++++ 4 files changed, 75 insertions(+), 18 deletions(-) create mode 100644 harden_deepin-accounts-daemon.service.patch create mode 100644 harden_hwclock_stop.service.patch diff --git a/deepin-daemon.changes b/deepin-daemon.changes index 782009d..4a0102f 100644 --- a/deepin-daemon.changes +++ b/deepin-daemon.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Sep 3 07:04:36 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s). Added patch(es): + * harden_deepin-accounts-daemon.service.patch + * harden_hwclock_stop.service.patch + ------------------------------------------------------------------- Sat Aug 28 14:32:55 UTC 2021 - Hillwood Yang diff --git a/deepin-daemon.spec b/deepin-daemon.spec index d8c17bf..569fdba 100644 --- a/deepin-daemon.spec +++ b/deepin-daemon.spec @@ -1,7 +1,7 @@ # # spec file for package deepin-daemon # -# Copyright (c) 2021 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,9 +12,10 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # + %define _name dde-daemon %define import_path pkg.deepin.io/dde/daemon @@ -22,7 +23,8 @@ Name: deepin-daemon Version: 5.13.36 Release: 0 Summary: Daemon handling the DDE session settings -License: GPL-3.0+ +License: GPL-3.0-or-later +Group: System/GUI/Other URL: https://github.com/linuxdeepin/dde-daemon Source0: https://github.com/linuxdeepin/dde-daemon/archive/%{version}/%{_name}-%{version}.tar.gz Source1: %{name}.sysusers @@ -38,39 +40,40 @@ Patch1: %{name}-libinput.patch # PATCH-FIX-OPENSUSE disable-gobuild-in-makefile.patch hillwood@opensuse.org # Use gobuild macro instead of makefile to build go binaries Patch2: disable-gobuild-in-makefile.patch -Group: System/GUI/Other +Patch3: harden_deepin-accounts-daemon.service.patch +Patch4: harden_hwclock_stop.service.patch %if 0%{?suse_version} > 1500 BuildRequires: golang(API) = 1.15 %endif -BuildRequires: golang-packaging BuildRequires: deepin-gettext-tools BuildRequires: fontpackages-devel +BuildRequires: golang-github-linuxdeepin-dde-api +BuildRequires: golang-github-linuxdeepin-go-dbus-factory +BuildRequires: golang-packaging BuildRequires: pam-devel BuildRequires: pkgconfig(alsa) BuildRequires: pkgconfig(fontconfig) -BuildRequires: pkgconfig(gnome-keyring-1) BuildRequires: pkgconfig(gdk-pixbuf-xlib-2.0) -BuildRequires: pkgconfig(gtk+-3.0) BuildRequires: pkgconfig(gio-2.0) +BuildRequires: pkgconfig(gnome-keyring-1) +BuildRequires: pkgconfig(gtk+-3.0) +BuildRequires: pkgconfig(gudev-1.0) BuildRequires: pkgconfig(libbamf3) BuildRequires: pkgconfig(libcanberra) +BuildRequires: pkgconfig(libinput) BuildRequires: pkgconfig(libnl-3.0) BuildRequires: pkgconfig(libnl-genl-3.0) BuildRequires: pkgconfig(libpulse) +BuildRequires: pkgconfig(librsvg-2.0) BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(libudev) -BuildRequires: pkgconfig(gudev-1.0) -BuildRequires: pkgconfig(librsvg-2.0) -BuildRequires: pkgconfig(libinput) BuildRequires: pkgconfig(poppler-glib) BuildRequires: pkgconfig(x11) -BuildRequires: pkgconfig(xi) -BuildRequires: pkgconfig(xtst) BuildRequires: pkgconfig(xcursor) BuildRequires: pkgconfig(xfixes) +BuildRequires: pkgconfig(xi) BuildRequires: pkgconfig(xkbfile) -BuildRequires: golang-github-linuxdeepin-go-dbus-factory -BuildRequires: golang-github-linuxdeepin-dde-api +BuildRequires: pkgconfig(xtst) %if 0%{?sle_version} == 150200 BuildRequires: golang-github-stretchr-testify %endif @@ -86,9 +89,9 @@ Requires: gvfs Requires: iw Requires: rfkill Requires: upower +Requires: wallpaper-branding-openSUSE Requires: xdotool Requires: xvfb-run -Requires: wallpaper-branding-openSUSE %if %{suse_version} > 1500 Requires: libgdk_pixbuf_xlib-2_0-0 %else @@ -106,6 +109,7 @@ Deepin Daemon is a daemon for handling the deepin session settings %package polkit Summary: Deepin daemon polkit profiles +Group: System/GUI/Other Requires: %{name} = %{version}-%{release} BuildArch: noarch AutoReqProv: Off @@ -117,6 +121,7 @@ them manually or use deepin-polkit-install package. %package dbus Summary: Deepin daemon DBus profiles +Group: System/GUI/Other Requires: %{name} = %{version}-%{release} BuildArch: noarch AutoReqProv: Off @@ -129,10 +134,9 @@ them manually or use deepin-dbus-install package. %package -n golang-github-linuxdeepin-deepin-daemon Summary: Deepin daemon golang codes Group: Development/Languages/Golang -Requires: golang-github-linuxdeepin-go-dbus-factory Requires: golang-github-linuxdeepin-dde-api +Requires: golang-github-linuxdeepin-go-dbus-factory BuildArch: noarch -AutoReqProv: On AutoReq: Off %{go_provides} @@ -330,4 +334,3 @@ fi %files lang -f %{_name}.lang %changelog - diff --git a/harden_deepin-accounts-daemon.service.patch b/harden_deepin-accounts-daemon.service.patch new file mode 100644 index 0000000..7d586c8 --- /dev/null +++ b/harden_deepin-accounts-daemon.service.patch @@ -0,0 +1,24 @@ +Index: dde-daemon-5.13.36/misc/systemd/services/deepin-accounts-daemon.service +=================================================================== +--- dde-daemon-5.13.36.orig/misc/systemd/services/deepin-accounts-daemon.service ++++ dde-daemon-5.13.36/misc/systemd/services/deepin-accounts-daemon.service +@@ -8,6 +8,19 @@ After=nss-user-lookup.target lightdm.ser + Wants=nss-user-lookup.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=dbus + BusName=com.deepin.daemon.Accounts + ExecStart=/usr/lib/deepin-daemon/dde-system-daemon diff --git a/harden_hwclock_stop.service.patch b/harden_hwclock_stop.service.patch new file mode 100644 index 0000000..ed3f710 --- /dev/null +++ b/harden_hwclock_stop.service.patch @@ -0,0 +1,23 @@ +Index: dde-daemon-5.13.36/misc/systemd/services/hwclock_stop.service +=================================================================== +--- dde-daemon-5.13.36.orig/misc/systemd/services/hwclock_stop.service ++++ dde-daemon-5.13.36/misc/systemd/services/hwclock_stop.service +@@ -3,6 +3,18 @@ Description=sync RTC from system time + Before=shutdown.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + ExecStart=hwclock -s + ExecStop=hwclock -w + RemainAfterExit=yes