diff --git a/e2fsprogs.changes b/e2fsprogs.changes index c7bf6a2..4a03e23 100644 --- a/e2fsprogs.changes +++ b/e2fsprogs.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Oct 15 12:11:41 UTC 2021 - Johannes Segitz + +- Drop ProtectClock hardening, can cause issues if other device acceess is needed + ------------------------------------------------------------------- Thu Sep 30 14:13:06 UTC 2021 - Jan Kara diff --git a/harden_e2scrub@.service.patch b/harden_e2scrub@.service.patch index 8913583..ef436f8 100644 --- a/harden_e2scrub@.service.patch +++ b/harden_e2scrub@.service.patch @@ -2,14 +2,13 @@ Index: e2fsprogs-1.46.4/scrub/e2scrub@.service.in =================================================================== --- e2fsprogs-1.46.4.orig/scrub/e2scrub@.service.in +++ e2fsprogs-1.46.4/scrub/e2scrub@.service.in -@@ -10,6 +10,15 @@ PrivateNetwork=true +@@ -10,6 +10,14 @@ PrivateNetwork=true ProtectSystem=true ProtectHome=read-only PrivateTmp=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true -+ProtectClock=true +ProtectKernelTunables=true +ProtectKernelLogs=true +ProtectControlGroups=true diff --git a/harden_e2scrub_all.service.patch b/harden_e2scrub_all.service.patch index fbcd365..32a7b36 100644 --- a/harden_e2scrub_all.service.patch +++ b/harden_e2scrub_all.service.patch @@ -2,7 +2,7 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_all.service.in =================================================================== --- e2fsprogs-1.46.3.orig/scrub/e2scrub_all.service.in +++ e2fsprogs-1.46.3/scrub/e2scrub_all.service.in -@@ -6,6 +6,18 @@ ConditionCapability=CAP_SYS_RAWIO +@@ -6,6 +6,17 @@ ConditionCapability=CAP_SYS_RAWIO Documentation=man:e2scrub_all(8) [Service] @@ -11,7 +11,6 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_all.service.in +ProtectSystem=full +ProtectHome=true +ProtectHostname=true -+ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true diff --git a/harden_e2scrub_fail@.service.patch b/harden_e2scrub_fail@.service.patch index d8c2d2d..3a665dc 100644 --- a/harden_e2scrub_fail@.service.patch +++ b/harden_e2scrub_fail@.service.patch @@ -2,7 +2,7 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in =================================================================== --- e2fsprogs-1.46.3.orig/scrub/e2scrub_fail@.service.in +++ e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in -@@ -3,6 +3,18 @@ Description=Online ext4 Metadata Check F +@@ -3,6 +3,17 @@ Description=Online ext4 Metadata Check F Documentation=man:e2scrub(8) [Service] @@ -11,7 +11,6 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in +ProtectSystem=full +ProtectHome=true +ProtectHostname=true -+ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true diff --git a/harden_e2scrub_reap.service.patch b/harden_e2scrub_reap.service.patch index 8491e15..bcdd6e7 100644 --- a/harden_e2scrub_reap.service.patch +++ b/harden_e2scrub_reap.service.patch @@ -2,14 +2,13 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_reap.service.in =================================================================== --- e2fsprogs-1.46.3.orig/scrub/e2scrub_reap.service.in +++ e2fsprogs-1.46.3/scrub/e2scrub_reap.service.in -@@ -11,6 +11,16 @@ PrivateNetwork=true +@@ -11,6 +11,15 @@ PrivateNetwork=true ProtectSystem=true ProtectHome=read-only PrivateTmp=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true -+ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true