From 7ad53cbd5be63fd07757283250cba6469377c8e7fc9caaec05e26228c05047c0 Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Wed, 6 Oct 2021 08:32:33 +0000 Subject: [PATCH] Accepting request 923291 from home:jsegitz:branches:systemdhardening:network:time Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/923291 OBS-URL: https://build.opensuse.org/package/show/network:time/linuxptp?expand=0&rev=22 --- linuxptp.changes | 7 +++++++ phc2sys.service | 13 +++++++++++++ ptp4l.service | 13 +++++++++++++ 3 files changed, 33 insertions(+) diff --git a/linuxptp.changes b/linuxptp.changes index 24a3d01..343a18a 100644 --- a/linuxptp.changes +++ b/linuxptp.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Oct 5 11:41:43 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * phc2sys.service + * ptp4l.service + ------------------------------------------------------------------- Tue Jul 06 08:06:16 UTC 2021 - jbohac@suse.com diff --git a/phc2sys.service b/phc2sys.service index 23fe47b..04701bf 100644 --- a/phc2sys.service +++ b/phc2sys.service @@ -3,6 +3,19 @@ Description=PTP: Synchronize two clocks After=ntpdate.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +DeviceAllow=/dev/rtc +# end of automatic additions Type=simple EnvironmentFile=-/etc/sysconfig/phc2sys ExecStart=/usr/sbin/phc2sys $OPTIONS diff --git a/ptp4l.service b/ptp4l.service index c97665c..cb8a9c5 100644 --- a/ptp4l.service +++ b/ptp4l.service @@ -2,6 +2,19 @@ Description=PTP: Boundary/Ordinary Clock [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +DeviceAllow=/dev/rtc +# end of automatic additions Type=simple EnvironmentFile=-/etc/sysconfig/ptp4l ExecStart=/usr/sbin/ptp4l $OPTIONS