From 0750c065b5070d429787da61c10eac05227a4ec66cda72090c80617e6a696ec7 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Mon, 11 Oct 2021 17:19:42 +0000 Subject: [PATCH] Accepting request 923286 from home:jsegitz:branches:systemdhardening:GNOME:Factory Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/923286 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/libzypp-plugin-appdata?expand=0&rev=55 --- harden_appstream-sync-cache.service.patch | 24 +++++++++++++++++++++++ libzypp-plugin-appdata.changes | 6 ++++++ libzypp-plugin-appdata.spec | 2 ++ 3 files changed, 32 insertions(+) create mode 100644 harden_appstream-sync-cache.service.patch diff --git a/harden_appstream-sync-cache.service.patch b/harden_appstream-sync-cache.service.patch new file mode 100644 index 0000000..f6cfdd3 --- /dev/null +++ b/harden_appstream-sync-cache.service.patch @@ -0,0 +1,24 @@ +Index: openSUSE-appstream-1.0.1+git.20180426/appstream-sync-cache.service +=================================================================== +--- openSUSE-appstream-1.0.1+git.20180426.orig/appstream-sync-cache.service ++++ openSUSE-appstream-1.0.1+git.20180426/appstream-sync-cache.service +@@ -4,6 +4,19 @@ After=local-fs.target + ConditionDirectoryNotEmpty=!/var/cache/app-info/xmls + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=forking + ExecStart=/usr/bin/zypper appstream-cache + diff --git a/libzypp-plugin-appdata.changes b/libzypp-plugin-appdata.changes index bdc2295..c3ddc31 100644 --- a/libzypp-plugin-appdata.changes +++ b/libzypp-plugin-appdata.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Oct 5 09:12:00 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_appstream-sync-cache.service.patch + ------------------------------------------------------------------- Fri Sep 4 12:46:34 UTC 2020 - Dominique Leuenberger diff --git a/libzypp-plugin-appdata.spec b/libzypp-plugin-appdata.spec index c872672..d3554a5 100644 --- a/libzypp-plugin-appdata.spec +++ b/libzypp-plugin-appdata.spec @@ -25,6 +25,7 @@ Group: System/Libraries URL: https://wiki.gnome.org/Design/Apps/Software Source0: openSUSE-appstream-%{version}.tar.xz Source99: libzypp-plugin-appdata-rpmlintrc +Patch0: harden_appstream-sync-cache.service.patch # appstreamcli is provided by the AppStream package. Let's pull it in when available, but ignore its absence Recommends: AppStream # appstream-glib >= 0.3.6 is the first to correctly to appstream-util uninstall in /var/cache @@ -59,6 +60,7 @@ This package contains extra appstream metadata to be used by appstream-builder %prep %setup -q -n openSUSE-appstream-%{version} +%patch0 -p1 %build