Accepting request 930813 from security:netfilter

OBS-URL: https://build.opensuse.org/request/show/930813
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ebtables?expand=0&rev=48

ebtables.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Thu Nov 11 08:36:14 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Add build dependency on libalternatives
+- Run spec-cleaner
+
+-------------------------------------------------------------------
+Fri Oct 15 07:30:28 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * ebtables.service
+
+-------------------------------------------------------------------
+Fri Aug 20 18:06:09 UTC 2021 - Stefan Schubert <schubi@suse.de>
+
+- Use libalternatives instead of update-alternatives. 
+
 -------------------------------------------------------------------
 Wed Sep  2 14:23:48 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
 

ebtables.service

@@ -2,6 +2,14 @@
 Description=Ethernet Bridge Filtering tables
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=@LIBEXECDIR@/ebtables-helper start

ebtables.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ebtables
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,11 +16,15 @@
 #
 
 
+%if 0%{?suse_version} > 1500
+%bcond_without libalternatives
+%else
+%bcond_with libalternatives
+%endif
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
-  %define _fillupdir /var/adm/fillup-templates
+  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
-
 Name:           ebtables
 Version:        2.0.11
 Release:        0
@@ -29,8 +33,8 @@ License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Security
 URL:            http://ebtables.sf.net/
 #Git-Clone:	git://git.netfilter.org/ebtables
-Source0:        http://ftp.netfilter.org/pub/ebtables/ebtables-%version.tar.gz
-Source1:        http://ftp.netfilter.org/pub/ebtables/ebtables-%version.tar.gz.sig
+Source0:        http://ftp.netfilter.org/pub/ebtables/ebtables-%{version}.tar.gz
+Source1:        http://ftp.netfilter.org/pub/ebtables/ebtables-%{version}.tar.gz.sig
 Source2:        ebtables.keyring
 Source3:        ebtables.service
 Source4:        ebtables.systemd
@@ -40,10 +44,14 @@ BuildRequires:  systemd-rpm-macros
 BuildRequires:  xz
 Requires:       netcfg >= 11.6
 Requires(pre):  %fillup_prereq
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
 %{?systemd_ordering}
+%if %{with libalternatives}
+BuildRequires:  alts
+Requires:       alts
+%else
+Requires(post): update-alternatives
+Requires(postun):update-alternatives
+%endif
 
 %description
 A firewalling tool to transparently filter network traffic passing a
@@ -77,7 +85,7 @@ mv include/linux/netfilter_bridge/ebt_ulog.{h.save,h}
 # The way ebtables is built requires ASNEEDED=0 forever [bnc#567267]
 export SUSE_ASNEEDED=0
 %configure
-make %{?_smp_mflags}
+%make_build
 
 %install
 # The way ebtables is built requires ASNEEDED=0 forever [bnc#567267]
@@ -86,33 +94,63 @@ mkdir -p "%{buildroot}/%{_sysconfdir}/init.d"
 %make_install
 mkdir -p %{buildroot}%{_fillupdir}
 mkdir -p %{buildroot}%{_unitdir}
-install -p %_sourcedir/ebtables.service %{buildroot}%{_unitdir}/
+install -p %{_sourcedir}/ebtables.service %{buildroot}%{_unitdir}/
 sed -i "s|@LIBEXECDIR@|%{_libexecdir}|g" %{buildroot}%{_unitdir}/*.service
 chmod -x %{buildroot}%{_unitdir}/*.service
 mkdir -p %{buildroot}%{_libexecdir}
-install -m0755 %_sourcedir/ebtables.systemd %{buildroot}%{_libexecdir}/%{name}-helper
+install -m0755 %{_sourcedir}/ebtables.systemd %{buildroot}%{_libexecdir}/%{name}-helper
 ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
 touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.filter
 touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.nat
 touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.broute
-rm -rfv %{buildroot}%{_initrddir}
+rm -rfv %{buildroot}%{_initddir}
 # not used
 rm -f "%{buildroot}/%{_sysconfdir}/ebtables-config"
 for i in ebtables ebtables-restore ebtables-save; do
-	ln -fsv "/etc/alternatives/$i" "%{buildroot}/%{_sbindir}/$i"
+%if ! %{with libalternatives}
+        ln -fsv "%{_sysconfdir}/alternatives/$i" "%{buildroot}/%{_sbindir}/$i"
+%else
+        ln -fsv  %{_bindir}/alts "%{buildroot}/%{_sbindir}/$i"
+%endif
 done
-echo ".so ebtables-legacy.8" >"%buildroot/%_mandir/man8/ebtables.8"
+echo ".so ebtables-legacy.8" >"%{buildroot}/%{_mandir}/man8/ebtables.8"
 # no headers to make use of it
-rm -f "%buildroot/%_libdir/libebtc.la" "%buildroot/%_libdir/libebtc.so"
+rm -f "%{buildroot}/%{_libdir}/libebtc.la" "%{buildroot}/%{_libdir}/libebtc.so"
+
+%if %{with libalternatives}
+mkdir -p %{buildroot}%{_datadir}/libalternatives/ebtables
+cat > %{buildroot}%{_datadir}/libalternatives/ebtables/1.conf <<EOF
+binary=%{_sbindir}/ebtables-legacy
+group=ebtables, ebtables-restore, ebtables-save
+EOF
+mkdir -p %{buildroot}%{_datadir}/libalternatives/ebtables-restore
+cat > %{buildroot}%{_datadir}/libalternatives/ebtables-restore/1.conf <<EOF
+binary=%{_sbindir}/ebtables-legacy-restore
+group=ebtables, ebtables-restore, ebtables-save
+EOF
+mkdir -p %{buildroot}%{_datadir}/libalternatives/ebtables-save
+cat > %{buildroot}%{_datadir}/libalternatives/ebtables-save/1.conf <<EOF
+binary=%{_sbindir}/ebtables-legacy-save
+group=ebtables, ebtables-restore, ebtables-save
+EOF
+%endif
 
 %pre
+%if %{with libalternatives}
+# removing old update-alternatives entries
+if [ "$1" -gt 0 ] && [ -f %{_sbindir}/update-alternatives ] ; then
+         update-alternatives --remove ebtables "%{_sbindir}/ebtables-legacy"
+fi
+%endif
 %service_add_pre %{name}.service
 
 %post
+%if ! %{with libalternatives}
 update-alternatives --force \
 	--install "%{_sbindir}/ebtables" ebtables "%{_sbindir}/ebtables-legacy" 1 \
 	--slave "%{_sbindir}/ebtables-restore" ebtables-restore "%{_sbindir}/ebtables-legacy-restore" \
 	--slave "%{_sbindir}/ebtables-save" ebtables-save "%{_sbindir}/ebtables-legacy-save"
+%endif
 %service_add_post %{name}.service
 %fillup_only
 
@@ -120,24 +158,35 @@ update-alternatives --force \
 %service_del_preun %{name}.service
 
 %postun
+%if ! %{with libalternatives}
 if test "$1" = 0; then
 	update-alternatives --remove ebtables "%{_sbindir}/ebtables-legacy"
 fi
+%endif
 %service_del_postun %{name}.service
 
 %post   -n libebtc0 -p /sbin/ldconfig
 %postun -n libebtc0 -p /sbin/ldconfig
 
 %files
-%defattr(-,root,root)
 %license COPYING
 %doc ChangeLog
-%{_mandir}/man8/ebtables*.8*
+%{_mandir}/man8/ebtables*.8%{?ext_man}
 %{_libexecdir}/%{name}-helper
 %{_unitdir}/%{name}.service
+%if ! %{with libalternatives}
 %ghost %{_sysconfdir}/alternatives/ebtables
 %ghost %{_sysconfdir}/alternatives/ebtables-restore
 %ghost %{_sysconfdir}/alternatives/ebtables-save
+%else
+%dir %{_datadir}/libalternatives
+%dir %{_datadir}/libalternatives/ebtables
+%dir %{_datadir}/libalternatives/ebtables-restore
+%dir %{_datadir}/libalternatives/ebtables-save
+%{_datadir}/libalternatives/ebtables/1.conf
+%{_datadir}/libalternatives/ebtables-restore/1.conf
+%{_datadir}/libalternatives/ebtables-save/1.conf
+%endif
 %ghost %{_fillupdir}/sysconfig.%{name}.filter
 %ghost %{_fillupdir}/sysconfig.%{name}.nat
 %ghost %{_fillupdir}/sysconfig.%{name}.broute
@@ -147,6 +196,6 @@ fi
 %{_sbindir}/rcebtables
 
 %files -n libebtc0
-%_libdir/libebtc.so.0*
+%{_libdir}/libebtc.so.0*
 
 %changelog