From 789a4a822c45d12237ac210d4f5b257da5c5216f75c99694c44b4dc18d66cfa0 Mon Sep 17 00:00:00 2001 From: Nicolas Morey-Chaisemartin Date: Mon, 15 Nov 2021 10:25:28 +0000 Subject: [PATCH] Accepting request 923293 from home:jsegitz:branches:systemdhardening:science:HPC Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/923293 OBS-URL: https://build.opensuse.org/package/show/science:HPC/libvma?expand=0&rev=24 --- harden_vma.service.patch | 24 ++++++++++++++++++++++++ libvma.changes | 8 ++++++++ libvma.spec | 2 ++ vma.service | 13 +++++++++++++ 4 files changed, 47 insertions(+) create mode 100644 harden_vma.service.patch diff --git a/harden_vma.service.patch b/harden_vma.service.patch new file mode 100644 index 0000000..8ce7889 --- /dev/null +++ b/harden_vma.service.patch @@ -0,0 +1,24 @@ +Index: libvma-9.3.1.0.47396f1a5eaa/contrib/scripts/vma.service.in +=================================================================== +--- libvma-9.3.1.0.47396f1a5eaa.orig/contrib/scripts/vma.service.in ++++ libvma-9.3.1.0.47396f1a5eaa/contrib/scripts/vma.service.in +@@ -3,6 +3,19 @@ Description=VMA Daemon + After=network.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=forking + Restart=on-failure + ExecStart=@prefix@/sbin/vmad diff --git a/libvma.changes b/libvma.changes index 656abec..9ce1bc5 100644 --- a/libvma.changes +++ b/libvma.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Oct 5 09:08:03 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_vma.service.patch + Modified: + * vma.service + ------------------------------------------------------------------- Sun Sep 26 11:11:24 UTC 2021 - Nicolas Morey-Chaisemartin diff --git a/libvma.spec b/libvma.spec index 9ecf84f..1dc13b3 100644 --- a/libvma.spec +++ b/libvma.spec @@ -29,6 +29,7 @@ Release: 0 Source0: %{name}-%{version}%{git_ver}.tar.gz Source1: vma.service Patch1: issue-2485156-Fix-fc35-issues.patch +Patch2: harden_vma.service.patch URL: https://github.com/Mellanox/libvma BuildRequires: autoconf BuildRequires: automake @@ -72,6 +73,7 @@ Headers and symbolink link required to compile and link with the Libvma library. %prep %setup -q -n %{name}-%{version}%{git_ver} %patch1 +%patch2 -p1 %build ./autogen.sh diff --git a/vma.service b/vma.service index a2c83c8..27b1cac 100644 --- a/vma.service +++ b/vma.service @@ -9,6 +9,19 @@ After=rdma-load-modules@rdma.service After=rdma-hw.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=simple Restart=on-failure ExecStart=/usr/sbin/vmad