Accepting request 923286 from home:jsegitz:branches:systemdhardening:GNOME:Factory

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/923286 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/libzypp-plugin-appdata?expand=0&rev=55
2021-10-11 17:19:42 +00:00 · 2021-10-11 17:19:42 +00:00 · 0750c065b5
commit 0750c065b5
parent d74950fc42
3 changed files with 32 additions and 0 deletions
--- a/harden_appstream-sync-cache.service.patch
+++ b/harden_appstream-sync-cache.service.patch
@ -0,0 +1,24 @@
+Index: openSUSE-appstream-1.0.1+git.20180426/appstream-sync-cache.service
+===================================================================
+--- openSUSE-appstream-1.0.1+git.20180426.orig/appstream-sync-cache.service
+++ openSUSE-appstream-1.0.1+git.20180426/appstream-sync-cache.service
+@@ -4,6 +4,19 @@ After=local-fs.target
+ ConditionDirectoryNotEmpty=!/var/cache/app-info/xmls
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=forking
+ ExecStart=/usr/bin/zypper appstream-cache
+ 
--- a/libzypp-plugin-appdata.changes
+++ b/libzypp-plugin-appdata.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Oct  5 09:12:00 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_appstream-sync-cache.service.patch
+
 -------------------------------------------------------------------
 Fri Sep  4 12:46:34 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>

--- a/libzypp-plugin-appdata.spec
+++ b/libzypp-plugin-appdata.spec
@ -25,6 +25,7 @@ Group:          System/Libraries
 URL:            https://wiki.gnome.org/Design/Apps/Software
 Source0:        openSUSE-appstream-%{version}.tar.xz
 Source99:       libzypp-plugin-appdata-rpmlintrc
+Patch0:	harden_appstream-sync-cache.service.patch
 # appstreamcli is provided by the AppStream package. Let's pull it in when available, but ignore its absence
 Recommends:     AppStream
 # appstream-glib >= 0.3.6 is the first to correctly to appstream-util uninstall in /var/cache
@ -59,6 +60,7 @@ This package contains extra appstream metadata to be used by appstream-builder

 %prep
 %setup -q -n openSUSE-appstream-%{version}
+%patch0 -p1

 %build