Accepting request 920516 from home:jsegitz:branches:systemdhardening:Application:Geo

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/920516 OBS-URL: https://build.opensuse.org/package/show/Application:Geo/gpsd?expand=0&rev=142
2021-09-22 15:25:08 +00:00 · 2021-09-22 15:25:08 +00:00 · acad32dfd8
commit acad32dfd8
parent 929077c417
4 changed files with 57 additions and 0 deletions
--- a/gpsd.changes
+++ b/gpsd.changes
@ -21,6 +21,13 @@ Wed Sep 22 07:07:20 UTC 2021 - Arjen de Korte <suse+build@de-korte.org>
  * No API, ABI changes.
  * Fallback to "python3" if "python" not found.

+-------------------------------------------------------------------
+Mon Sep 20 15:34:40 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_gpsd.service.patch
+  * harden_gpsdctl@.service.patch
+
 -------------------------------------------------------------------
 Sat Aug  7 03:32:40 UTC 2021 - Arjen de Korte <suse+build@de-korte.org>

--- a/gpsd.spec
+++ b/gpsd.spec
@ -34,6 +34,8 @@ Source2:        udev.gpsd
 Source3:        sysconfig.gpsd
 Source98:       https://download-mirror.savannah.gnu.org/releases/gpsd/%{name}-%{version}.tar.xz.sig
 Source99:       %{name}.keyring
+Patch0:         harden_gpsd.service.patch
+Patch1:         harden_gpsdctl@.service.patch
 BuildRequires:  chrpath
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
@ -167,6 +169,8 @@ tar -xf %{SOURCE0} -C %{name}-%{version}/python2
 mkdir -p %{name}-%{version}/python3
 tar -xf %{SOURCE0} -C %{name}-%{version}/python3
 cd %{name}-%{version}
+%patch0 -p1
+%patch1 -p1

 %build
 # LTO fails on aarch64 (version 3.22, May 2021)
--- a/harden_gpsd.service.patch
+++ b/harden_gpsd.service.patch
@ -0,0 +1,23 @@
+Index: gpsd/gpsd-3.23/systemd/gpsd.service.in
+===================================================================
+--- foo.old/python3/gpsd-3.23/systemd/gpsd.service.in
+++ foo/python3/gpsd-3.23/systemd/gpsd.service.in
+@@ -5,6 +5,18 @@ Requires=gpsd.socket
+ After=chronyd.service
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=forking
+ EnvironmentFile=-/etc/default/gpsd
+ EnvironmentFile=-/etc/sysconfig/gpsd
--- a/harden_gpsdctl@.service.patch
+++ b/harden_gpsdctl@.service.patch
@ -0,0 +1,23 @@
+Index: gpsd-3.23/systemd/gpsdctl@.service.in
+===================================================================
+--- foo.old/python3/gpsd-3.23/systemd/gpsdctl@.service.in
+++ foo/python3/gpsd-3.23/systemd/gpsdctl@.service.in
+@@ -5,6 +5,18 @@ BindsTo=dev-%i.device
+ After=dev-%i.device
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=oneshot
+ Environment="GPSD_SOCKET=@RUNDIR@/gpsd.sock"
+ EnvironmentFile=-/etc/default/gpsd