From ef19fac0dfeee959d721ee6261adcbe3f4f84210f4080d17687e57f98e6ceced Mon Sep 17 00:00:00 2001
From: Danilo Spinella <danilo.spinella@suse.com>
Date: Fri, 5 Nov 2021 10:54:24 +0000
Subject: [PATCH 1/3] Accepting request 919783 from home:schubi2

- Use libalternatives instead of update-alternatives.

OBS-URL: https://build.opensuse.org/request/show/919783
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/ebtables?expand=0&rev=74
---
 ebtables.changes |  5 +++++
 ebtables.spec    | 56 ++++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 59 insertions(+), 2 deletions(-)

diff --git a/ebtables.changes b/ebtables.changes
index 4d988f6..0c942a7 100644
--- a/ebtables.changes
+++ b/ebtables.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Aug 20 18:06:09 UTC 2021 - Stefan Schubert <schubi@suse.de>
+
+- Use libalternatives instead of update-alternatives. 
+
 -------------------------------------------------------------------
 Wed Sep  2 14:23:48 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
 
diff --git a/ebtables.spec b/ebtables.spec
index e2c14a8..b2003d2 100644
--- a/ebtables.spec
+++ b/ebtables.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package ebtables
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,6 +16,12 @@
 #
 
 
+%if 0%{?suse_version} > 1500
+%bcond_without libalternatives
+%else
+%bcond_with libalternatives
+%endif
+
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
   %define _fillupdir /var/adm/fillup-templates
@@ -41,8 +47,12 @@ BuildRequires:  xz
 Requires:       netcfg >= 11.6
 Requires(pre):  %fillup_prereq
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+%if %{with libalternatives}
+Requires:       alts
+%else
 Requires(post): update-alternatives
 Requires(postun): update-alternatives
+%endif
 %{?systemd_ordering}
 
 %description
@@ -99,20 +109,50 @@ rm -rfv %{buildroot}%{_initrddir}
 # not used
 rm -f "%{buildroot}/%{_sysconfdir}/ebtables-config"
 for i in ebtables ebtables-restore ebtables-save; do
-	ln -fsv "/etc/alternatives/$i" "%{buildroot}/%{_sbindir}/$i"
+%if ! %{with libalternatives}    
+        ln -fsv "/etc/alternatives/$i" "%{buildroot}/%{_sbindir}/$i"
+%else
+        ln -fsv  %{_bindir}/alts "%{buildroot}/%_sbindir/$i"
+%endif	
 done
 echo ".so ebtables-legacy.8" >"%buildroot/%_mandir/man8/ebtables.8"
 # no headers to make use of it
 rm -f "%buildroot/%_libdir/libebtc.la" "%buildroot/%_libdir/libebtc.so"
 
+%if %{with libalternatives}
+mkdir -p %{buildroot}%{_datadir}/libalternatives/ebtables
+cat > %{buildroot}%{_datadir}/libalternatives/ebtables/1.conf <<EOF
+binary=%{_sbindir}/ebtables-legacy
+group=ebtables, ebtables-restore, ebtables-save
+EOF
+mkdir -p %{buildroot}%{_datadir}/libalternatives/ebtables-restore
+cat > %{buildroot}%{_datadir}/libalternatives/ebtables-restore/1.conf <<EOF
+binary=%{_sbindir}/ebtables-legacy-restore
+group=ebtables, ebtables-restore, ebtables-save
+EOF
+mkdir -p %{buildroot}%{_datadir}/libalternatives/ebtables-save
+cat > %{buildroot}%{_datadir}/libalternatives/ebtables-save/1.conf <<EOF
+binary=%{_sbindir}/ebtables-legacy-save
+group=ebtables, ebtables-restore, ebtables-save
+EOF
+%endif
+
 %pre
+%if %{with libalternatives}
+# removing old update-alternatives entries
+if [ "$1" -gt 0 ] && [ -f %{_sbindir}/update-alternatives ] ; then
+         update-alternatives --remove ebtables "%{_sbindir}/ebtables-legacy"
+fi
+%endif
 %service_add_pre %{name}.service
 
 %post
+%if ! %{with libalternatives}
 update-alternatives --force \
 	--install "%{_sbindir}/ebtables" ebtables "%{_sbindir}/ebtables-legacy" 1 \
 	--slave "%{_sbindir}/ebtables-restore" ebtables-restore "%{_sbindir}/ebtables-legacy-restore" \
 	--slave "%{_sbindir}/ebtables-save" ebtables-save "%{_sbindir}/ebtables-legacy-save"
+%endif
 %service_add_post %{name}.service
 %fillup_only
 
@@ -120,9 +160,11 @@ update-alternatives --force \
 %service_del_preun %{name}.service
 
 %postun
+%if ! %{with libalternatives}
 if test "$1" = 0; then
 	update-alternatives --remove ebtables "%{_sbindir}/ebtables-legacy"
 fi
+%endif
 %service_del_postun %{name}.service
 
 %post   -n libebtc0 -p /sbin/ldconfig
@@ -135,9 +177,19 @@ fi
 %{_mandir}/man8/ebtables*.8*
 %{_libexecdir}/%{name}-helper
 %{_unitdir}/%{name}.service
+%if ! %{with libalternatives}
 %ghost %{_sysconfdir}/alternatives/ebtables
 %ghost %{_sysconfdir}/alternatives/ebtables-restore
 %ghost %{_sysconfdir}/alternatives/ebtables-save
+%else
+%dir %{_datadir}/libalternatives
+%dir %{_datadir}/libalternatives/ebtables
+%dir %{_datadir}/libalternatives/ebtables-restore
+%dir %{_datadir}/libalternatives/ebtables-save
+%{_datadir}/libalternatives/ebtables/1.conf
+%{_datadir}/libalternatives/ebtables-restore/1.conf
+%{_datadir}/libalternatives/ebtables-save/1.conf
+%endif
 %ghost %{_fillupdir}/sysconfig.%{name}.filter
 %ghost %{_fillupdir}/sysconfig.%{name}.nat
 %ghost %{_fillupdir}/sysconfig.%{name}.broute

From 9ea1208ce09485ba9109f46fbb1e0bd3447e15587b7128b2212741556aafeee2 Mon Sep 17 00:00:00 2001
From: Danilo Spinella <danilo.spinella@suse.com>
Date: Wed, 10 Nov 2021 14:17:11 +0000
Subject: [PATCH 2/3] Accepting request 925376 from
 home:jsegitz:branches:systemdhardening:security:netfilter

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/925376
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/ebtables?expand=0&rev=75
---
 ebtables.changes | 6 ++++++
 ebtables.service | 8 ++++++++
 2 files changed, 14 insertions(+)

diff --git a/ebtables.changes b/ebtables.changes
index 0c942a7..3639276 100644
--- a/ebtables.changes
+++ b/ebtables.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Oct 15 07:30:28 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * ebtables.service
+
 -------------------------------------------------------------------
 Fri Aug 20 18:06:09 UTC 2021 - Stefan Schubert <schubi@suse.de>
 
diff --git a/ebtables.service b/ebtables.service
index 8deb225..5fad5d3 100644
--- a/ebtables.service
+++ b/ebtables.service
@@ -2,6 +2,14 @@
 Description=Ethernet Bridge Filtering tables
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=@LIBEXECDIR@/ebtables-helper start

From 77ea56de7a289296e1d548b6aabd1c1e5aeb444f1ad61122e35bb487b77936d5 Mon Sep 17 00:00:00 2001
From: Danilo Spinella <danilo.spinella@suse.com>
Date: Thu, 11 Nov 2021 08:38:17 +0000
Subject: [PATCH 3/3] Accepting request 930812 from
 home:dspinella:branches:security:netfilter

- Add build dependency on libalternatives
- Run spec-cleaner

OBS-URL: https://build.opensuse.org/request/show/930812
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/ebtables?expand=0&rev=76
---
 ebtables.changes |  6 ++++++
 ebtables.spec    | 39 ++++++++++++++++++---------------------
 2 files changed, 24 insertions(+), 21 deletions(-)

diff --git a/ebtables.changes b/ebtables.changes
index 3639276..8ae1b3d 100644
--- a/ebtables.changes
+++ b/ebtables.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Nov 11 08:36:14 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Add build dependency on libalternatives
+- Run spec-cleaner
+
 -------------------------------------------------------------------
 Fri Oct 15 07:30:28 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 
diff --git a/ebtables.spec b/ebtables.spec
index b2003d2..6bd636f 100644
--- a/ebtables.spec
+++ b/ebtables.spec
@@ -21,12 +21,10 @@
 %else
 %bcond_with libalternatives
 %endif
-
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
-  %define _fillupdir /var/adm/fillup-templates
+  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
-
 Name:           ebtables
 Version:        2.0.11
 Release:        0
@@ -35,8 +33,8 @@ License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Security
 URL:            http://ebtables.sf.net/
 #Git-Clone:	git://git.netfilter.org/ebtables
-Source0:        http://ftp.netfilter.org/pub/ebtables/ebtables-%version.tar.gz
-Source1:        http://ftp.netfilter.org/pub/ebtables/ebtables-%version.tar.gz.sig
+Source0:        http://ftp.netfilter.org/pub/ebtables/ebtables-%{version}.tar.gz
+Source1:        http://ftp.netfilter.org/pub/ebtables/ebtables-%{version}.tar.gz.sig
 Source2:        ebtables.keyring
 Source3:        ebtables.service
 Source4:        ebtables.systemd
@@ -46,14 +44,14 @@ BuildRequires:  systemd-rpm-macros
 BuildRequires:  xz
 Requires:       netcfg >= 11.6
 Requires(pre):  %fillup_prereq
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+%{?systemd_ordering}
 %if %{with libalternatives}
+BuildRequires:  alts
 Requires:       alts
 %else
 Requires(post): update-alternatives
-Requires(postun): update-alternatives
+Requires(postun):update-alternatives
 %endif
-%{?systemd_ordering}
 
 %description
 A firewalling tool to transparently filter network traffic passing a
@@ -87,7 +85,7 @@ mv include/linux/netfilter_bridge/ebt_ulog.{h.save,h}
 # The way ebtables is built requires ASNEEDED=0 forever [bnc#567267]
 export SUSE_ASNEEDED=0
 %configure
-make %{?_smp_mflags}
+%make_build
 
 %install
 # The way ebtables is built requires ASNEEDED=0 forever [bnc#567267]
@@ -96,28 +94,28 @@ mkdir -p "%{buildroot}/%{_sysconfdir}/init.d"
 %make_install
 mkdir -p %{buildroot}%{_fillupdir}
 mkdir -p %{buildroot}%{_unitdir}
-install -p %_sourcedir/ebtables.service %{buildroot}%{_unitdir}/
+install -p %{_sourcedir}/ebtables.service %{buildroot}%{_unitdir}/
 sed -i "s|@LIBEXECDIR@|%{_libexecdir}|g" %{buildroot}%{_unitdir}/*.service
 chmod -x %{buildroot}%{_unitdir}/*.service
 mkdir -p %{buildroot}%{_libexecdir}
-install -m0755 %_sourcedir/ebtables.systemd %{buildroot}%{_libexecdir}/%{name}-helper
+install -m0755 %{_sourcedir}/ebtables.systemd %{buildroot}%{_libexecdir}/%{name}-helper
 ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
 touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.filter
 touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.nat
 touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.broute
-rm -rfv %{buildroot}%{_initrddir}
+rm -rfv %{buildroot}%{_initddir}
 # not used
 rm -f "%{buildroot}/%{_sysconfdir}/ebtables-config"
 for i in ebtables ebtables-restore ebtables-save; do
-%if ! %{with libalternatives}    
-        ln -fsv "/etc/alternatives/$i" "%{buildroot}/%{_sbindir}/$i"
+%if ! %{with libalternatives}
+        ln -fsv "%{_sysconfdir}/alternatives/$i" "%{buildroot}/%{_sbindir}/$i"
 %else
-        ln -fsv  %{_bindir}/alts "%{buildroot}/%_sbindir/$i"
-%endif	
+        ln -fsv  %{_bindir}/alts "%{buildroot}/%{_sbindir}/$i"
+%endif
 done
-echo ".so ebtables-legacy.8" >"%buildroot/%_mandir/man8/ebtables.8"
+echo ".so ebtables-legacy.8" >"%{buildroot}/%{_mandir}/man8/ebtables.8"
 # no headers to make use of it
-rm -f "%buildroot/%_libdir/libebtc.la" "%buildroot/%_libdir/libebtc.so"
+rm -f "%{buildroot}/%{_libdir}/libebtc.la" "%{buildroot}/%{_libdir}/libebtc.so"
 
 %if %{with libalternatives}
 mkdir -p %{buildroot}%{_datadir}/libalternatives/ebtables
@@ -171,10 +169,9 @@ fi
 %postun -n libebtc0 -p /sbin/ldconfig
 
 %files
-%defattr(-,root,root)
 %license COPYING
 %doc ChangeLog
-%{_mandir}/man8/ebtables*.8*
+%{_mandir}/man8/ebtables*.8%{?ext_man}
 %{_libexecdir}/%{name}-helper
 %{_unitdir}/%{name}.service
 %if ! %{with libalternatives}
@@ -199,6 +196,6 @@ fi
 %{_sbindir}/rcebtables
 
 %files -n libebtc0
-%_libdir/libebtc.so.0*
+%{_libdir}/libebtc.so.0*
 
 %changelog