From dc54688f330faef53f70c133973938632b56172a5084815097470515f6eb1dde Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Fri, 17 Sep 2021 09:40:15 +0000 Subject: [PATCH 1/6] Accepting request 918936 from home:jsegitz:branches:systemdhardening:network Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/918936 OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=136 --- dnsmasq.changes | 8 ++++++++ dnsmasq.service | 12 ++++++++++++ dnsmasq.spec | 2 ++ harden_dnsmasq.service.patch | 24 ++++++++++++++++++++++++ 4 files changed, 46 insertions(+) create mode 100644 harden_dnsmasq.service.patch diff --git a/dnsmasq.changes b/dnsmasq.changes index dee8ae4..b4c53fd 100644 --- a/dnsmasq.changes +++ b/dnsmasq.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Sep 14 06:19:17 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_dnsmasq.service.patch + Modified: + * dnsmasq.service + ------------------------------------------------------------------- Sun Jun 13 13:28:49 UTC 2021 - Callum Farmer diff --git a/dnsmasq.service b/dnsmasq.service index 189fc17..5a6e26d 100644 --- a/dnsmasq.service +++ b/dnsmasq.service @@ -5,6 +5,18 @@ Wants=nss-lookup.target Before=nss-lookup.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=dbus BusName=uk.org.thekelleys.dnsmasq ExecStartPre=/usr/sbin/dnsmasq --test diff --git a/dnsmasq.spec b/dnsmasq.spec index 458fa68..917d09d 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -37,6 +37,7 @@ Source5: rc.dnsmasq-suse Source6: system-user-dnsmasq.conf Source8: %{name}-rpmlintrc Patch0: dnsmasq-groups.patch +Patch1: harden_dnsmasq.service.patch BuildRequires: dbus-1-devel BuildRequires: dos2unix BuildRequires: libidn2-devel @@ -75,6 +76,7 @@ server's leases. %prep %setup -q %patch0 +%patch1 -p1 # Remove the executable bit from python example files to # avoid unwanted automatic dependencies diff --git a/harden_dnsmasq.service.patch b/harden_dnsmasq.service.patch new file mode 100644 index 0000000..7f4863a --- /dev/null +++ b/harden_dnsmasq.service.patch @@ -0,0 +1,24 @@ +Index: dnsmasq-2.85/contrib/systemd/dnsmasq.service +=================================================================== +--- dnsmasq-2.85.orig/contrib/systemd/dnsmasq.service ++++ dnsmasq-2.85/contrib/systemd/dnsmasq.service +@@ -5,6 +5,19 @@ Before=network-online.target nss-lookup. + Wants=nss-lookup.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=dbus + BusName=uk.org.thekelleys.dnsmasq + ExecStartPre=/usr/sbin/dnsmasq --test From 049fbc620b2eba69cecd0c3952e2849fb20d1ccbb545aca34d641a7b172076ea Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Fri, 17 Sep 2021 11:27:06 +0000 Subject: [PATCH 2/6] - Update to 2.86: * Handle DHCPREBIND requests in the DHCPv6 server code. * Fix bug which caused dnsmasq to lose track of processes forked to handle TCP DNS connections under heavy load. * Major rewrite of the DNS server and domain handling code. This should be largely transparent, but it drastically improves performance and reduces memory foot-print when configuring large numbers of domains. * Revise resource handling for number of concurrent DNS queries. * Improve efficiency of DNSSEC. * Connection track mark based DNS query filtering. * Allow smaller than 64 prefix lengths in synth-domain, with caveats. --synth-domain=1234:4567::/56,example.com is now valid. * Make domains generated by --synth-domain appear in replies when in authoritative mode. * Ensure CAP_NET_ADMIN capability is available when conntrack is configured. * When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are given a directory as argument, define the order in which files within that directory are read (alphabetical order of filename). - Added hardening to systemd service(s) (bsc#1181400). OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=137 --- dnsmasq-2.85.tar.xz | 3 --- dnsmasq-2.85.tar.xz.asc | 16 ---------------- dnsmasq-2.86.tar.xz | 3 +++ dnsmasq-2.86.tar.xz.asc | 16 ++++++++++++++++ dnsmasq.changes | 30 ++++++++++++++++++++++++++---- dnsmasq.spec | 4 +--- harden_dnsmasq.service.patch | 24 ------------------------ 7 files changed, 46 insertions(+), 50 deletions(-) delete mode 100644 dnsmasq-2.85.tar.xz delete mode 100644 dnsmasq-2.85.tar.xz.asc create mode 100644 dnsmasq-2.86.tar.xz create mode 100644 dnsmasq-2.86.tar.xz.asc delete mode 100644 harden_dnsmasq.service.patch diff --git a/dnsmasq-2.85.tar.xz b/dnsmasq-2.85.tar.xz deleted file mode 100644 index 70c5043..0000000 --- a/dnsmasq-2.85.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ad98d3803df687e5b938080f3d25c628fe41c878752d03fbc6199787fee312fa -size 518316 diff --git a/dnsmasq-2.85.tar.xz.asc b/dnsmasq-2.85.tar.xz.asc deleted file mode 100644 index f6dbf66..0000000 --- a/dnsmasq-2.85.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmBuGPsACgkQFc3aauGR -NaIg6A//Xfcu62aItiHf/jTeFHUSqHrdqanDqLRWSpgdeKO2adk+s66p5CqVHC8K -JfxPo6eTUj8uX53Idy5oiwUz4d40iiOjfxHs4Nme0ozyIAHGw/Tfwx7/+NV882vi -+rtqhjF83dRsnqIR95FD17tVI+cR0sq6XKzwBtPicjmPt79sQ2UtkBo7I+IS9B5g -o+i21gGYm34EgY6EavveWfGkKgJLz+cF59h4i16lc1eRGNsy5clURDxiJ65Zz0zb -ZARLudEclbFNdoUu/4idmOUhZCGWrqf9o+rQDYW3vN85saxCPbTChqqy1VC6OBnX -VLN3cAJlk1hS5X0HzewhXkOqulzjg81KWRQ8EYATdOQP7u6apv4q87hnmr+uL9E8 -0VZ3ECyhH7n6qNXfqNS2Fp3Yp0sm1hgRy+6bu/IgVTPs/Ro22HqTiw5YXZQkPMbe -A4acAep59nIV9dEB5DYF1N0S0P6OcVtUsZAFlGS1cD0owFuI44W/lg8w9xA9gyJv -uqZvZqkQDM8bi9zJ2d7fjf65pjS+7S9ISxDoPHp34lLMB7D/rAuW8GVBkL1KxMWb -sRHIBDKM01CXZeRBlbxAYHlH7s2QehRk/t57ksTmPtT3IAVMSajEG0+1YElUGg8s -2gqLtCLdmB6Lwl4RFripSERvPzYOAsd8DiqDL9wYOECBStUGuEw= -=W3WM ------END PGP SIGNATURE----- diff --git a/dnsmasq-2.86.tar.xz b/dnsmasq-2.86.tar.xz new file mode 100644 index 0000000..97c5807 --- /dev/null +++ b/dnsmasq-2.86.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:28d52cfc9e2004ac4f85274f52b32e1647b4dbc9761b82e7de1e41c49907eb08 +size 531404 diff --git a/dnsmasq-2.86.tar.xz.asc b/dnsmasq-2.86.tar.xz.asc new file mode 100644 index 0000000..ba08f03 --- /dev/null +++ b/dnsmasq-2.86.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmE5MDYACgkQFc3aauGR +NaKtqA//W2QQv/K6l009r6LBQdUxrYwygJ/TXKsZLb6JlpVSCgLJ0FvK95wJnt9S +YxeTbMogr/Pd2jbZJAnPz2mTxfqZAv1Xob+qaXfn/K772tMyjzgUCIfdsBSRKmUS +RYxln8NiMwahI8uYLBWLtSPBpaYLiHEp5W+wV6OHu4OGfCG1qyhlem4Hs1UJy2KN +I6UjLXYJYJBp1UBqsakEuNe4dzUp0v0OI4VYYRUriyTsmptcLFZMUAtdq6EJ9eUX +0p8zhxWotJCzkZrF/t6Myb8ydudwLkUqICA6a9PTw5o34KxZ2VKWtu6NQoWaT8WK +5c7gbk/UprlPhKEDMOuGNC5JHSpm+2Fhq8c8PkIn6zPYv0Wvb/M+2DYLjptfbodl +VHhuzngnneFOdNK+XzPCG37cG1qpzey1mLWtsl5Ji0d1hBLnlk9vl8Hqb5ozLAJC +rMlhIB85hyt6VAj29Ye3DnObNLRSmfDiN4frptmQssqMqO1+eI2b/8zvrxIByYG+ +HboOt5/gotVavAmZwPfesbpje50PaPVTgFjQjc8BAwXEhFsn98MVRdz7Iwc5xQmG +upOd+44HC3at+So9+X9ocVofvItuDn7wYVnoZU7LcF5Isnoz3FhRMAusm8EsfJkI +lQr7vsg5/oUBU2Dr/NCBjbe/cYX4/+BEdnnQkLvG33pF8xTiyAQ= +=XpGA +-----END PGP SIGNATURE----- diff --git a/dnsmasq.changes b/dnsmasq.changes index b4c53fd..abeaa63 100644 --- a/dnsmasq.changes +++ b/dnsmasq.changes @@ -1,10 +1,32 @@ +------------------------------------------------------------------- +Fri Sep 17 11:10:17 UTC 2021 - Reinhard Max + +- Update to 2.86: + * Handle DHCPREBIND requests in the DHCPv6 server code. + * Fix bug which caused dnsmasq to lose track of processes forked + to handle TCP DNS connections under heavy load. + * Major rewrite of the DNS server and domain handling code. This + should be largely transparent, but it drastically improves + performance and reduces memory foot-print when configuring + large numbers of domains. + * Revise resource handling for number of concurrent DNS queries. + * Improve efficiency of DNSSEC. + * Connection track mark based DNS query filtering. + * Allow smaller than 64 prefix lengths in synth-domain, with + caveats. + --synth-domain=1234:4567::/56,example.com is now valid. + * Make domains generated by --synth-domain appear in replies + when in authoritative mode. + * Ensure CAP_NET_ADMIN capability is available when conntrack + is configured. + * When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are + given a directory as argument, define the order in which files + within that directory are read (alphabetical order of filename). + ------------------------------------------------------------------- Tue Sep 14 06:19:17 UTC 2021 - Johannes Segitz -- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): - * harden_dnsmasq.service.patch - Modified: - * dnsmasq.service +- Added hardening to systemd service(s) (bsc#1181400). ------------------------------------------------------------------- Sun Jun 13 13:28:49 UTC 2021 - Callum Farmer diff --git a/dnsmasq.spec b/dnsmasq.spec index 917d09d..55e9b46 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -22,7 +22,7 @@ %bcond_without tftp_user_package %endif Name: dnsmasq -Version: 2.85 +Version: 2.86 Release: 0 Summary: DNS Forwarder and DHCP Server License: GPL-2.0-only OR GPL-3.0-only @@ -37,7 +37,6 @@ Source5: rc.dnsmasq-suse Source6: system-user-dnsmasq.conf Source8: %{name}-rpmlintrc Patch0: dnsmasq-groups.patch -Patch1: harden_dnsmasq.service.patch BuildRequires: dbus-1-devel BuildRequires: dos2unix BuildRequires: libidn2-devel @@ -76,7 +75,6 @@ server's leases. %prep %setup -q %patch0 -%patch1 -p1 # Remove the executable bit from python example files to # avoid unwanted automatic dependencies diff --git a/harden_dnsmasq.service.patch b/harden_dnsmasq.service.patch deleted file mode 100644 index 7f4863a..0000000 --- a/harden_dnsmasq.service.patch +++ /dev/null @@ -1,24 +0,0 @@ -Index: dnsmasq-2.85/contrib/systemd/dnsmasq.service -=================================================================== ---- dnsmasq-2.85.orig/contrib/systemd/dnsmasq.service -+++ dnsmasq-2.85/contrib/systemd/dnsmasq.service -@@ -5,6 +5,19 @@ Before=network-online.target nss-lookup. - Wants=nss-lookup.target - - [Service] -+# added automatically, for details please see -+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort -+ProtectSystem=full -+ProtectHome=true -+PrivateDevices=true -+ProtectHostname=true -+ProtectClock=true -+ProtectKernelTunables=true -+ProtectKernelModules=true -+ProtectKernelLogs=true -+ProtectControlGroups=true -+RestrictRealtime=true -+# end of automatic additions - Type=dbus - BusName=uk.org.thekelleys.dnsmasq - ExecStartPre=/usr/sbin/dnsmasq --test From bcf4390ff2e2fc6ac53f95378a28aa2de4a4a6d647c1604f924ac0442eb1da8e Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Thu, 23 Sep 2021 08:59:05 +0000 Subject: [PATCH 3/6] - SLE bugs that got fixed upstream between 2.79 and 2.86, but for which we need to keep references when syncing Factory to SLE: * bsc#1176076: dnsmasq-servfail.patch * bsc#1156543: dnsmasq-siocgstamp.patch * bsc#1138743: dnsmasq-cache-size.patch * bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=138 --- dnsmasq.changes | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/dnsmasq.changes b/dnsmasq.changes index abeaa63..fcfb3b0 100644 --- a/dnsmasq.changes +++ b/dnsmasq.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Thu Sep 23 08:48:12 UTC 2021 - Reinhard Max + +- SLE bugs that got fixed upstream between 2.79 and 2.86, but for + which we need to keep references when syncing Factory to SLE: + * bsc#1176076: dnsmasq-servfail.patch + * bsc#1156543: dnsmasq-siocgstamp.patch + * bsc#1138743: dnsmasq-cache-size.patch + * bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch + ------------------------------------------------------------------- Fri Sep 17 11:10:17 UTC 2021 - Reinhard Max From 0c6831c53ad1751adbbd89b64674dac0260422c567100fe5d3f17e5bed668dd4 Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Thu, 23 Sep 2021 09:22:08 +0000 Subject: [PATCH 4/6] OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=139 --- dnsmasq.changes | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dnsmasq.changes b/dnsmasq.changes index fcfb3b0..338523e 100644 --- a/dnsmasq.changes +++ b/dnsmasq.changes @@ -1,8 +1,9 @@ ------------------------------------------------------------------- Thu Sep 23 08:48:12 UTC 2021 - Reinhard Max +- jsc#SLE-17936: Sync this state from Factory to SLE-15-SP1. - SLE bugs that got fixed upstream between 2.79 and 2.86, but for - which we need to keep references when syncing Factory to SLE: + which we need to keep references when syncing: * bsc#1176076: dnsmasq-servfail.patch * bsc#1156543: dnsmasq-siocgstamp.patch * bsc#1138743: dnsmasq-cache-size.patch From 029f71cf1d78b54c014e07fc45abb293af6c9dd0eea1d7a79afcf87836863189 Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Thu, 23 Sep 2021 12:02:11 +0000 Subject: [PATCH 5/6] OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=140 --- dnsmasq.changes | 4 +++- dnsmasq.spec | 14 +++++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/dnsmasq.changes b/dnsmasq.changes index 338523e..836a8b5 100644 --- a/dnsmasq.changes +++ b/dnsmasq.changes @@ -7,7 +7,9 @@ Thu Sep 23 08:48:12 UTC 2021 - Reinhard Max * bsc#1176076: dnsmasq-servfail.patch * bsc#1156543: dnsmasq-siocgstamp.patch * bsc#1138743: dnsmasq-cache-size.patch - * bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch + * bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch + * bsc#1180914: Open inotify socket only when used. +- bsc#1173646: Set --local-service by default. ------------------------------------------------------------------- Fri Sep 17 11:10:17 UTC 2021 - Reinhard Max diff --git a/dnsmasq.spec b/dnsmasq.spec index 55e9b46..f7eee5f 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -101,9 +101,21 @@ sed -i -e 's|CACHESIZ 150|CACHESIZ 2000|; s|CHGRP "dip"|CHGRP "nogroup"|' \ src/config.h -# Fix trust-anchor.conf location and include /etc/dnsmasq.d/*.conf by default +# Tweaks to the default configuration: +# - Fix trust-anchor.conf location +# - Include /etc/dnsmasq.d/*.conf by default +# - Only answer queries coming from the local network sed -i -e '/trust-anchors.conf/c\#conf-file=%{_sysconfdir}/dnsmasq.d/trust-anchors.conf' \ -e '/conf-dir=.*conf/s/^\#//' \ + -e '0,/^$/{/^$/a \ +# Accept DNS queries only from hosts whose address is on a local\ +# subnet, ie a subnet for which an interface exists on the server.\ +# It is intended to be set as a default on installation, to allow\ +# unconfigured installations to be useful but also safe from being\ +# used for DNS amplification attacks.\ +local-service\ + +}' \ dnsmasq.conf.example %build From f4508ec1d095e1b7ea74668033d1de2fd8dfd62776c709525fe9e3918ca76655 Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Thu, 23 Sep 2021 12:06:42 +0000 Subject: [PATCH 6/6] OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=141 --- dnsmasq.changes | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsmasq.changes b/dnsmasq.changes index 836a8b5..5e23e82 100644 --- a/dnsmasq.changes +++ b/dnsmasq.changes @@ -9,6 +9,7 @@ Thu Sep 23 08:48:12 UTC 2021 - Reinhard Max * bsc#1138743: dnsmasq-cache-size.patch * bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch * bsc#1180914: Open inotify socket only when used. + * removed dnsmasq-dnspooq.patch - bsc#1173646: Set --local-service by default. -------------------------------------------------------------------