From 9339024596224f105527364b3d897adef4f886c2 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Sat, 16 Oct 2021 09:37:28 +0000 Subject: [PATCH] Accepting request 925452 from home:jsegitz:branches:systemdhardening_protectclock - Drop ProtectClock hardening, can cause issues if other device acceess is needed OBS-URL: https://build.opensuse.org/request/show/925452 OBS-URL: https://build.opensuse.org/package/show/filesystems/e2fsprogs?expand=0&rev=145 --- e2fsprogs.changes | 5 +++++ harden_e2scrub@.service.patch | 3 +-- harden_e2scrub_all.service.patch | 3 +-- harden_e2scrub_fail@.service.patch | 3 +-- harden_e2scrub_reap.service.patch | 3 +-- 5 files changed, 9 insertions(+), 8 deletions(-) diff --git a/e2fsprogs.changes b/e2fsprogs.changes index c7bf6a2..4a03e23 100644 --- a/e2fsprogs.changes +++ b/e2fsprogs.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Oct 15 12:11:41 UTC 2021 - Johannes Segitz + +- Drop ProtectClock hardening, can cause issues if other device acceess is needed + ------------------------------------------------------------------- Thu Sep 30 14:13:06 UTC 2021 - Jan Kara diff --git a/harden_e2scrub@.service.patch b/harden_e2scrub@.service.patch index 8913583..ef436f8 100644 --- a/harden_e2scrub@.service.patch +++ b/harden_e2scrub@.service.patch @@ -2,14 +2,13 @@ Index: e2fsprogs-1.46.4/scrub/e2scrub@.service.in =================================================================== --- e2fsprogs-1.46.4.orig/scrub/e2scrub@.service.in +++ e2fsprogs-1.46.4/scrub/e2scrub@.service.in -@@ -10,6 +10,15 @@ PrivateNetwork=true +@@ -10,6 +10,14 @@ PrivateNetwork=true ProtectSystem=true ProtectHome=read-only PrivateTmp=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true -+ProtectClock=true +ProtectKernelTunables=true +ProtectKernelLogs=true +ProtectControlGroups=true diff --git a/harden_e2scrub_all.service.patch b/harden_e2scrub_all.service.patch index fbcd365..32a7b36 100644 --- a/harden_e2scrub_all.service.patch +++ b/harden_e2scrub_all.service.patch @@ -2,7 +2,7 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_all.service.in =================================================================== --- e2fsprogs-1.46.3.orig/scrub/e2scrub_all.service.in +++ e2fsprogs-1.46.3/scrub/e2scrub_all.service.in -@@ -6,6 +6,18 @@ ConditionCapability=CAP_SYS_RAWIO +@@ -6,6 +6,17 @@ ConditionCapability=CAP_SYS_RAWIO Documentation=man:e2scrub_all(8) [Service] @@ -11,7 +11,6 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_all.service.in +ProtectSystem=full +ProtectHome=true +ProtectHostname=true -+ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true diff --git a/harden_e2scrub_fail@.service.patch b/harden_e2scrub_fail@.service.patch index d8c2d2d..3a665dc 100644 --- a/harden_e2scrub_fail@.service.patch +++ b/harden_e2scrub_fail@.service.patch @@ -2,7 +2,7 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in =================================================================== --- e2fsprogs-1.46.3.orig/scrub/e2scrub_fail@.service.in +++ e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in -@@ -3,6 +3,18 @@ Description=Online ext4 Metadata Check F +@@ -3,6 +3,17 @@ Description=Online ext4 Metadata Check F Documentation=man:e2scrub(8) [Service] @@ -11,7 +11,6 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in +ProtectSystem=full +ProtectHome=true +ProtectHostname=true -+ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true diff --git a/harden_e2scrub_reap.service.patch b/harden_e2scrub_reap.service.patch index 8491e15..bcdd6e7 100644 --- a/harden_e2scrub_reap.service.patch +++ b/harden_e2scrub_reap.service.patch @@ -2,14 +2,13 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_reap.service.in =================================================================== --- e2fsprogs-1.46.3.orig/scrub/e2scrub_reap.service.in +++ e2fsprogs-1.46.3/scrub/e2scrub_reap.service.in -@@ -11,6 +11,16 @@ PrivateNetwork=true +@@ -11,6 +11,15 @@ PrivateNetwork=true ProtectSystem=true ProtectHome=read-only PrivateTmp=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true -+ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true