From 919eb4aaada53df36d79028755a2bbcc7ea6f55b0e0b392fee8491cdf1950175 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Tue, 14 Sep 2021 14:21:34 +0000 Subject: [PATCH] Accepting request 918933 from home:jsegitz:branches:systemdhardening:multimedia:libs Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/918933 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/fluidsynth?expand=0&rev=94 --- fluidsynth.changes | 8 ++++++++ fluidsynth.service | 11 +++++++++++ fluidsynth.spec | 3 ++- harden_fluidsynth.service.patch | 22 ++++++++++++++++++++++ 4 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 harden_fluidsynth.service.patch diff --git a/fluidsynth.changes b/fluidsynth.changes index b19ac18..8a66f6d 100644 --- a/fluidsynth.changes +++ b/fluidsynth.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Sep 14 09:59:43 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_fluidsynth.service.patch + Modified: + * fluidsynth.service + ------------------------------------------------------------------- Sun Jul 11 17:21:21 UTC 2021 - Tom Mbrt diff --git a/fluidsynth.service b/fluidsynth.service index 90e3379..20e44e9 100644 --- a/fluidsynth.service +++ b/fluidsynth.service @@ -4,6 +4,17 @@ Documentation=man:fluidsynth(1) After=sound.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +# end of automatic additions User=fluidsynth Group=audio EnvironmentFile=-/etc/sysconfig/fluidsynth diff --git a/fluidsynth.spec b/fluidsynth.spec index b0789b2..3529496 100644 --- a/fluidsynth.spec +++ b/fluidsynth.spec @@ -28,6 +28,7 @@ Source0: https://github.com/FluidSynth/%{name}/archive/v%{version}.tar.gz Source1: %{name}.conf Source2: %{name}.service Source1000: baselibs.conf +Patch0: harden_fluidsynth.service.patch BuildRequires: cmake >= 3.1.0 BuildRequires: gcc-c++ BuildRequires: ladspa-devel @@ -71,7 +72,7 @@ Group: System/Libraries This package contains the shared library for Fluidsynth. %prep -%autosetup +%autosetup -p1 %build %cmake \ diff --git a/harden_fluidsynth.service.patch b/harden_fluidsynth.service.patch new file mode 100644 index 0000000..444e669 --- /dev/null +++ b/harden_fluidsynth.service.patch @@ -0,0 +1,22 @@ +Index: fluidsynth-2.2.2/fluidsynth.service.in +=================================================================== +--- fluidsynth-2.2.2.orig/fluidsynth.service.in ++++ fluidsynth-2.2.2/fluidsynth.service.in +@@ -4,6 +4,17 @@ Documentation=man:fluidsynth(1) + After=sound.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++# end of automatic additions + Type=notify + NotifyAccess=main + EnvironmentFile=@FLUID_DAEMON_ENV_FILE@