pool/e2fsprogs
2
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Accepting request 925452 from home:jsegitz:branches:systemdhardening_protectclock

Browse Source 
- Drop ProtectClock hardening, can cause issues if other device acceess is needed

OBS-URL: https://build.opensuse.org/request/show/925452
OBS-URL: https://build.opensuse.org/package/show/filesystems/e2fsprogs?expand=0&rev=145
This commit is contained in:
Dirk Mueller 2021-10-16 09:37:28 +00:00 committed by Git OBS Bridge
parent c6068ea4ce
commit 9339024596
5 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
e2fsprogs.changes
View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Fri Oct 15 12:11:41 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Drop ProtectClock hardening, can cause issues if other device acceess is needed
-------------------------------------------------------------------
Thu Sep 30 14:13:06 UTC 2021 - Jan Kara <jack@suse.cz>

3
harden_e2scrub@.service.patch
View File

@ -2,14 +2,13 @@ Index: e2fsprogs-1.46.4/scrub/e2scrub@.service.in
===================================================================
--- e2fsprogs-1.46.4.orig/scrub/e2scrub@.service.in
+++ e2fsprogs-1.46.4/scrub/e2scrub@.service.in
@@ -10,6 +10,15 @@ PrivateNetwork=true
@@ -10,6 +10,14 @@ PrivateNetwork=true
ProtectSystem=true
ProtectHome=read-only
PrivateTmp=yes
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ProtectControlGroups=true

3
harden_e2scrub_all.service.patch
View File

@ -2,7 +2,7 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_all.service.in
===================================================================
--- e2fsprogs-1.46.3.orig/scrub/e2scrub_all.service.in
+++ e2fsprogs-1.46.3/scrub/e2scrub_all.service.in
@@ -6,6 +6,18 @@ ConditionCapability=CAP_SYS_RAWIO
@@ -6,6 +6,17 @@ ConditionCapability=CAP_SYS_RAWIO
Documentation=man:e2scrub_all(8)
[Service]
@ -11,7 +11,6 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_all.service.in
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true

3
harden_e2scrub_fail@.service.patch
View File

@ -2,7 +2,7 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in
===================================================================
--- e2fsprogs-1.46.3.orig/scrub/e2scrub_fail@.service.in
+++ e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in
@@ -3,6 +3,18 @@ Description=Online ext4 Metadata Check F
@@ -3,6 +3,17 @@ Description=Online ext4 Metadata Check F
Documentation=man:e2scrub(8)
[Service]
@ -11,7 +11,6 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true

3
harden_e2scrub_reap.service.patch
View File

@ -2,14 +2,13 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_reap.service.in
===================================================================
--- e2fsprogs-1.46.3.orig/scrub/e2scrub_reap.service.in
+++ e2fsprogs-1.46.3/scrub/e2scrub_reap.service.in
@@ -11,6 +11,16 @@ PrivateNetwork=true
@@ -11,6 +11,15 @@ PrivateNetwork=true
ProtectSystem=true
ProtectHome=read-only
PrivateTmp=yes
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true