Accepting request 920516 from home:jsegitz:branches:systemdhardening:Application:Geo

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/920516
OBS-URL: https://build.opensuse.org/package/show/Application:Geo/gpsd?expand=0&rev=142

gpsd.changes

@@ -21,6 +21,13 @@ Wed Sep 22 07:07:20 UTC 2021 - Arjen de Korte <suse+build@de-korte.org>
   * No API, ABI changes.
   * Fallback to "python3" if "python" not found.
 
+-------------------------------------------------------------------
+Mon Sep 20 15:34:40 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_gpsd.service.patch
+  * harden_gpsdctl@.service.patch
+
 -------------------------------------------------------------------
 Sat Aug  7 03:32:40 UTC 2021 - Arjen de Korte <suse+build@de-korte.org>
 

gpsd.spec

@@ -34,6 +34,8 @@ Source2:        udev.gpsd
 Source3:        sysconfig.gpsd
 Source98:       https://download-mirror.savannah.gnu.org/releases/gpsd/%{name}-%{version}.tar.xz.sig
 Source99:       %{name}.keyring
+Patch0:         harden_gpsd.service.patch
+Patch1:         harden_gpsdctl@.service.patch
 BuildRequires:  chrpath
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
@@ -167,6 +169,8 @@ tar -xf %{SOURCE0} -C %{name}-%{version}/python2
 mkdir -p %{name}-%{version}/python3
 tar -xf %{SOURCE0} -C %{name}-%{version}/python3
 cd %{name}-%{version}
+%patch0 -p1
+%patch1 -p1
 
 %build
 # LTO fails on aarch64 (version 3.22, May 2021)

harden_gpsd.service.patch

@@ -0,0 +1,23 @@
+Index: gpsd/gpsd-3.23/systemd/gpsd.service.in
+===================================================================
+--- foo.old/python3/gpsd-3.23/systemd/gpsd.service.in
++++ foo/python3/gpsd-3.23/systemd/gpsd.service.in
+@@ -5,6 +5,18 @@ Requires=gpsd.socket
+ After=chronyd.service
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Type=forking
+ EnvironmentFile=-/etc/default/gpsd
+ EnvironmentFile=-/etc/sysconfig/gpsd

harden_gpsdctl@.service.patch

@@ -0,0 +1,23 @@
+Index: gpsd-3.23/systemd/gpsdctl@.service.in
+===================================================================
+--- foo.old/python3/gpsd-3.23/systemd/gpsdctl@.service.in
++++ foo/python3/gpsd-3.23/systemd/gpsdctl@.service.in
+@@ -5,6 +5,18 @@ BindsTo=dev-%i.device
+ After=dev-%i.device
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Type=oneshot
+ Environment="GPSD_SOCKET=@RUNDIR@/gpsd.sock"
+ EnvironmentFile=-/etc/default/gpsd