Accepting request 920867 from home:jsegitz:branches:systemdhardening:Java:packages

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/920867 OBS-URL: https://build.opensuse.org/package/show/Java:packages/hsqldb?expand=0&rev=42
2021-09-23 05:44:57 +00:00 · 2021-09-23 05:44:57 +00:00 · 080edd9847
commit 080edd9847
parent 8596d74523
3 changed files with 33 additions and 1 deletions
--- a/harden_hsqldb.service.patch
+++ b/harden_hsqldb.service.patch
@ -0,0 +1,24 @@
+Index: hsqldb-2.4.1/hsqldb/sample/hsqldb.service
+===================================================================
+--- hsqldb-2.4.1.orig/hsqldb/sample/hsqldb.service
+++ hsqldb-2.4.1/hsqldb/sample/hsqldb.service
+@@ -17,6 +17,19 @@ Description=HyperSQL Database Server
+ After=socket.service
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ # TODO!  Change these paths to point to the absolute path of the "hsqldb.init"
+ # script in your HyperSQL distribution:
+ ExecStart=/local/hsqldb-2.3.4/sample/hsqldb.init start
--- a/hsqldb.changes
+++ b/hsqldb.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Sep 22 08:34:22 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_hsqldb.service.patch
+
 -------------------------------------------------------------------
 Mon Dec 14 19:30:22 UTC 2020 - Pedro Monreal <pmonreal@suse.com>

--- a/hsqldb.spec
+++ b/hsqldb.spec
@ -1,7 +1,7 @@
 #
 # spec file for package hsqldb
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -46,6 +46,7 @@ Patch0:         %{name}-apidocs.patch
 Patch1:         %{name}-cmdline.patch
 # Jdk10's javadoc ends up in error when a remote url cannot be reached
 Patch2:         hsqldb-2.4.1-javadoc10.patch
+Patch3:         harden_hsqldb.service.patch
 BuildRequires:  ant
 BuildRequires:  fdupes
 BuildRequires:  glassfish-servlet-api
@ -129,6 +130,7 @@ sed -i -e 's|doc/apidocs|%{_javadocdir}/%{name}|g' index.html
 %patch0 -p1
 %patch1 -p1
 %patch2 -p2
+%patch3 -p2

 %build
 pushd build