Accepting request 920641 from home:jsegitz:branches:systemdhardening:multimedia:apps

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/920641 OBS-URL: https://build.opensuse.org/package/show/multimedia:apps/gerbera?expand=0&rev=22
2021-09-21 11:34:58 +00:00 · 2021-09-21 11:34:58 +00:00 · e5612873f2
commit e5612873f2
parent 9829eed0bf
3 changed files with 33 additions and 1 deletions
--- a/gerbera.changes
+++ b/gerbera.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Sep 21 09:51:10 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_gerbera.service.patch
+
 -------------------------------------------------------------------
 Thu Sep  2 07:25:06 UTC 2021 - Paolo Stivanin <info@paolostivanin.com>

--- a/gerbera.spec
+++ b/gerbera.spec
@ -26,6 +26,7 @@ URL:            https://gerbera.io
 Source0:        https://github.com/gerbera/gerbera/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source3:        gerbera.tmpfile.in
 Source4:        gerbera.sysusers.in
+Patch0:	harden_gerbera.service.patch
 BuildRequires:  cmake >= 3.13
 BuildRequires:  fdupes
 BuildRequires:  file-devel
@ -67,7 +68,7 @@ media through a network and consume it on a variety of UPnP
 compatible devices.

 %prep
-%autosetup
+%autosetup -p1

 # server test hardcodes alpha strings
 sed -i -e '/test_server/d' test/CMakeLists.txt
--- a/harden_gerbera.service.patch
+++ b/harden_gerbera.service.patch
@ -0,0 +1,25 @@
+Index: gerbera-1.9.1/scripts/systemd/gerbera.service.cmake
+===================================================================
+--- gerbera-1.9.1.orig/scripts/systemd/gerbera.service.cmake
+++ gerbera-1.9.1/scripts/systemd/gerbera.service.cmake
+@@ -3,6 +3,20 @@ Description=${SYSTEMD_DESCRIPTION}
+ After=${SYSTEMD_AFTER_TARGET}
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+ReadWritePaths=/usr/share/gerbera/ /etc/gerbera/
+# end of automatic additions 
+ Type=simple
+ User=gerbera
+ Group=gerbera