diff --git a/fwupd.changes b/fwupd.changes index a980de3..eba8a4d 100644 --- a/fwupd.changes +++ b/fwupd.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Oct 15 07:30:24 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_fwupd-offline-update.service.patch + * harden_fwupd-refresh.service.patch + ------------------------------------------------------------------- Thu Oct 7 04:56:37 UTC 2021 - Joey Lee diff --git a/fwupd.spec b/fwupd.spec index a783664..4d52d55 100644 --- a/fwupd.spec +++ b/fwupd.spec @@ -51,6 +51,8 @@ Source: %{name}-%{version}.tar.xz Patch1: fwupd-bsc1130056-change-shim-path.patch # PATCH-FIX-OPENSUSE fwupd-jscSLE-11766-close-efidir-leap-gap.patch jsc#SLE-11766 qkzhu@suse.com -- Set SLE and openSUSE esp os dir at runtime Patch2: fwupd-jscSLE-11766-close-efidir-leap-gap.patch +Patch3: harden_fwupd-offline-update.service.patch +Patch4: harden_fwupd-refresh.service.patch BuildRequires: dejavu-fonts %if %{with fish_support} diff --git a/harden_fwupd-offline-update.service.patch b/harden_fwupd-offline-update.service.patch new file mode 100644 index 0000000..bd480b9 --- /dev/null +++ b/harden_fwupd-offline-update.service.patch @@ -0,0 +1,21 @@ +Index: fwupd-1.6.2/data/fwupd-offline-update.service.in +=================================================================== +--- fwupd-1.6.2.orig/data/fwupd-offline-update.service.in ++++ fwupd-1.6.2/data/fwupd-offline-update.service.in +@@ -8,6 +8,16 @@ After=sysinit.target system-update-pre.t + Before=shutdown.target system-update.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectKernelTunables=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=oneshot + ExecStart=@libexecdir@/fwupd/fwupdoffline + FailureAction=reboot diff --git a/harden_fwupd-refresh.service.patch b/harden_fwupd-refresh.service.patch new file mode 100644 index 0000000..dc8fbaf --- /dev/null +++ b/harden_fwupd-refresh.service.patch @@ -0,0 +1,18 @@ +Index: fwupd-1.6.2/data/motd/fwupd-refresh.service.in +=================================================================== +--- fwupd-1.6.2.orig/data/motd/fwupd-refresh.service.in ++++ fwupd-1.6.2/data/motd/fwupd-refresh.service.in +@@ -13,5 +13,13 @@ SystemCallFilter=~@mount + ProtectKernelModules=yes + ProtectControlGroups=yes + RestrictRealtime=yes ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectKernelTunables=true ++ProtectKernelLogs=true ++# end of automatic additions + SuccessExitStatus=2 + ExecStart=@bindir@/fwupdmgr refresh