Accepting request 921086 from home:jsegitz:branches:systemdhardening:network:utilities

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/921086
OBS-URL: https://build.opensuse.org/package/show/network:utilities/iputils?expand=0&rev=97

harden_rdisc.service.patch

@@ -0,0 +1,17 @@
+Index: iputils-20210722/systemd/rdisc.service.in
+===================================================================
+--- iputils-20210722.orig/systemd/rdisc.service.in
++++ iputils-20210722/systemd/rdisc.service.in
+@@ -20,6 +20,12 @@ ProtectKernelModules=yes
+ MemoryDenyWriteExecute=yes
+ RestrictRealtime=yes
+ RestrictNamespaces=yes
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelLogs=true
++# end of automatic additions 
+ SystemCallArchitectures=native
+ LockPersonality=yes
+ NoNewPrivileges=yes

iputils.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Sep 22 14:49:53 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_rdisc.service.patch
+
 -------------------------------------------------------------------
 Thu Jul 22 16:18:11 UTC 2021 - Petr Vorel <pvorel@suse.cz>
 

iputils.spec

@@ -24,6 +24,7 @@ License:        BSD-3-Clause AND GPL-2.0-or-later
 Group:          Productivity/Networking/Other
 URL:            https://github.com/iputils/iputils
 Source0:        https://github.com/iputils/iputils/archive/%{version}.tar.gz
+Patch0:	harden_rdisc.service.patch
 BuildRequires:  docbook5-xsl-stylesheets
 BuildRequires:  docbook_5
 BuildRequires:  iproute2