From 020d7afb2ca82496916133f4a94477e877a6453567136a4d0972b925efc005f5 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Wed, 10 Nov 2021 20:37:20 +0000 Subject: [PATCH] Accepting request 920872 from home:jsegitz:branches:systemdhardening:security Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/920872 OBS-URL: https://build.opensuse.org/package/show/security/haveged?expand=0&rev=142 --- harden_haveged.service.patch | 17 +++++++++++++++++ haveged-switch-root.service | 13 +++++++++++++ haveged.changes | 9 +++++++++ haveged.service | 13 +++++++++++++ haveged.spec | 1 + 5 files changed, 53 insertions(+) create mode 100644 harden_haveged.service.patch diff --git a/harden_haveged.service.patch b/harden_haveged.service.patch new file mode 100644 index 0000000..cd1b5a4 --- /dev/null +++ b/harden_haveged.service.patch @@ -0,0 +1,17 @@ +Index: haveged-1.9.14/contrib/Fedora/haveged.service +=================================================================== +--- haveged-1.9.14.orig/contrib/Fedora/haveged.service ++++ haveged-1.9.14/contrib/Fedora/haveged.service +@@ -24,6 +24,12 @@ ProtectKernelLogs=true + ProtectKernelModules=true + RestrictNamespaces=true + RestrictRealtime=true ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectControlGroups=true ++# end of automatic additions + + LockPersonality=true + MemoryDenyWriteExecute=true diff --git a/haveged-switch-root.service b/haveged-switch-root.service index 89438e9..ee15893 100644 --- a/haveged-switch-root.service +++ b/haveged-switch-root.service @@ -8,6 +8,19 @@ JoinsNamespaceOf=haveged.service [Service] ExecStart=-/usr/sbin/haveged -c root=/sysroot PrivateNetwork=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=oneshot StandardInput=null StandardOutput=null diff --git a/haveged.changes b/haveged.changes index 99c1626..e4c6663 100644 --- a/haveged.changes +++ b/haveged.changes @@ -12,6 +12,15 @@ Mon Oct 11 13:26:52 UTC 2021 - Cristian Rodríguez initrd modules and udev rules, the other components are still useful. +------------------------------------------------------------------- +Tue Sep 21 12:15:06 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_haveged.service.patch + Modified: + * haveged-switch-root.service + * haveged.service + ------------------------------------------------------------------- Mon Jan 4 08:28:40 UTC 2021 - Paolo Stivanin diff --git a/haveged.service b/haveged.service index 7b0b04f..8250f16 100644 --- a/haveged.service +++ b/haveged.service @@ -12,6 +12,19 @@ Before=sysinit.target shutdown.target systemd-journald.service ExecStart=/usr/sbin/haveged -w 1024 -v 0 -F CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_CHROOT PrivateNetwork=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Restart=always SuccessExitStatus=137 143 diff --git a/haveged.spec b/haveged.spec index 79ecabb..99b0e01 100644 --- a/haveged.spec +++ b/haveged.spec @@ -32,6 +32,7 @@ Source5: %{name}-switch-root.service Patch0: ppc64le.patch # PATCH-FIX-UPSTREAM: don't write to syslog at startup to avoid deadlocks psimons@suse.com bnc#959237 Patch2: haveged-no-syslog.patch +Patch3: harden_haveged.service.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool