diff --git a/gnuhealth-webdav@.service b/gnuhealth-webdav@.service index 6e3d0b1..29ddf3c 100644 --- a/gnuhealth-webdav@.service +++ b/gnuhealth-webdav@.service @@ -4,6 +4,19 @@ After=syslog.target Requires=gnuhealth.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=simple User=tryton Group=tryton diff --git a/gnuhealth.changes b/gnuhealth.changes index ccc03d8..d08fbcb 100644 --- a/gnuhealth.changes +++ b/gnuhealth.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Mon Sep 20 14:02:25 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_gnuhealth.service.patch + Modified: + * gnuhealth-webdav@.service + * gnuhealth.service + ------------------------------------------------------------------- Fri Apr 16 17:16:20 UTC 2021 - Axel Braun diff --git a/gnuhealth.service b/gnuhealth.service index fd4a0a3..c35ad46 100644 --- a/gnuhealth.service +++ b/gnuhealth.service @@ -15,6 +15,13 @@ ProtectControlGroups=true MountFlags=private NoNewPrivileges=true PrivateDevices=true +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true +ProtectClock=true +ProtectKernelLogs=true +RestrictRealtime=true +# end of automatic additions MemoryDenyWriteExecute=true Type=simple diff --git a/gnuhealth.spec b/gnuhealth.spec index 8561863..48fa3f6 100644 --- a/gnuhealth.spec +++ b/gnuhealth.spec @@ -40,6 +40,7 @@ Source7: gnuhealth-rpmlintrc Source8: https://ftp.gnu.org/gnu/health/%{name}-%{version}.tar.gz.sig Source9: https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=health&download=1#/%{name}.keyring Patch0: shebang.diff +Patch1: harden_gnuhealth.service.patch BuildRequires: fdupes BuildRequires: python-rpm-generators @@ -112,6 +113,7 @@ This package provides the interface to Orthanc %patch0 -p1 cp %{S:1} . cp %{S:2} . +%patch1 -p1 %build for i in h*; do diff --git a/harden_gnuhealth.service.patch b/harden_gnuhealth.service.patch new file mode 100644 index 0000000..f8c7de6 --- /dev/null +++ b/harden_gnuhealth.service.patch @@ -0,0 +1,24 @@ +Index: gnuhealth-3.8.0/scripts/startup/gnuhealth.service +=================================================================== +--- gnuhealth-3.8.0.orig/scripts/startup/gnuhealth.service ++++ gnuhealth-3.8.0/scripts/startup/gnuhealth.service +@@ -3,6 +3,19 @@ Description=GNU Health Server + After=network.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=simple + User=gnuhealth + WorkingDirectory=/home/gnuhealth