From dc54688f330faef53f70c133973938632b56172a5084815097470515f6eb1dde Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Fri, 17 Sep 2021 09:40:15 +0000 Subject: [PATCH] Accepting request 918936 from home:jsegitz:branches:systemdhardening:network Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/918936 OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=136 --- dnsmasq.changes | 8 ++++++++ dnsmasq.service | 12 ++++++++++++ dnsmasq.spec | 2 ++ harden_dnsmasq.service.patch | 24 ++++++++++++++++++++++++ 4 files changed, 46 insertions(+) create mode 100644 harden_dnsmasq.service.patch diff --git a/dnsmasq.changes b/dnsmasq.changes index dee8ae4..b4c53fd 100644 --- a/dnsmasq.changes +++ b/dnsmasq.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Sep 14 06:19:17 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_dnsmasq.service.patch + Modified: + * dnsmasq.service + ------------------------------------------------------------------- Sun Jun 13 13:28:49 UTC 2021 - Callum Farmer diff --git a/dnsmasq.service b/dnsmasq.service index 189fc17..5a6e26d 100644 --- a/dnsmasq.service +++ b/dnsmasq.service @@ -5,6 +5,18 @@ Wants=nss-lookup.target Before=nss-lookup.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=dbus BusName=uk.org.thekelleys.dnsmasq ExecStartPre=/usr/sbin/dnsmasq --test diff --git a/dnsmasq.spec b/dnsmasq.spec index 458fa68..917d09d 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -37,6 +37,7 @@ Source5: rc.dnsmasq-suse Source6: system-user-dnsmasq.conf Source8: %{name}-rpmlintrc Patch0: dnsmasq-groups.patch +Patch1: harden_dnsmasq.service.patch BuildRequires: dbus-1-devel BuildRequires: dos2unix BuildRequires: libidn2-devel @@ -75,6 +76,7 @@ server's leases. %prep %setup -q %patch0 +%patch1 -p1 # Remove the executable bit from python example files to # avoid unwanted automatic dependencies diff --git a/harden_dnsmasq.service.patch b/harden_dnsmasq.service.patch new file mode 100644 index 0000000..7f4863a --- /dev/null +++ b/harden_dnsmasq.service.patch @@ -0,0 +1,24 @@ +Index: dnsmasq-2.85/contrib/systemd/dnsmasq.service +=================================================================== +--- dnsmasq-2.85.orig/contrib/systemd/dnsmasq.service ++++ dnsmasq-2.85/contrib/systemd/dnsmasq.service +@@ -5,6 +5,19 @@ Before=network-online.target nss-lookup. + Wants=nss-lookup.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=dbus + BusName=uk.org.thekelleys.dnsmasq + ExecStartPre=/usr/sbin/dnsmasq --test