diff --git a/harden_osmo-stp.service.patch b/harden_osmo-stp.service.patch new file mode 100644 index 0000000..4acacda --- /dev/null +++ b/harden_osmo-stp.service.patch @@ -0,0 +1,24 @@ +Index: libosmo-sccp-1.4.0/contrib/systemd/osmo-stp.service +=================================================================== +--- libosmo-sccp-1.4.0.orig/contrib/systemd/osmo-stp.service ++++ libosmo-sccp-1.4.0/contrib/systemd/osmo-stp.service +@@ -3,6 +3,19 @@ Description=Osmocom STP (Signal Transfer + Documentation=https://osmocom.org/projects/osmo-stp/wiki + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=simple + Restart=always + ExecStart=/usr/bin/osmo-stp -c /etc/osmocom/osmo-stp.cfg diff --git a/libosmo-sccp.changes b/libosmo-sccp.changes index ed5e3d8..6bb0a46 100644 --- a/libosmo-sccp.changes +++ b/libosmo-sccp.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Oct 5 06:18:17 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_osmo-stp.service.patch + ------------------------------------------------------------------- Sun Mar 14 20:59:25 UTC 2021 - Jan Engelhardt diff --git a/libosmo-sccp.spec b/libosmo-sccp.spec index 3fb5bf6..f371646 100644 --- a/libosmo-sccp.spec +++ b/libosmo-sccp.spec @@ -28,6 +28,7 @@ URL: https://projects.osmocom.org/projects/libosmo-sccp #Git-Clone: https://git.osmocom.org/libosmo-sccp Source: https://github.com/osmocom/libosmo-sccp/archive/%version.tar.gz Patch1: 0001-build-fixes.patch +Patch2: harden_osmo-stp.service.patch BuildRequires: automake >= 1.6 BuildRequires: libtool >= 2 BuildRequires: lksctp-tools-devel