From 097127653dfa3f5ec929905363530d0893dbf6c0341b8862c7a50adf182449d4 Mon Sep 17 00:00:00 2001 From: Stefan Seyfried Date: Sat, 2 Oct 2021 11:56:28 +0000 Subject: [PATCH 1/3] Accepting request 910628 from home:sbrabec:branches:vdr - Require typelib packages, otherwise lirc-setup fails to start. OBS-URL: https://build.opensuse.org/request/show/910628 OBS-URL: https://build.opensuse.org/package/show/vdr/lirc?expand=0&rev=103 --- lirc.changes | 5 +++++ lirc.spec | 3 +++ 2 files changed, 8 insertions(+) diff --git a/lirc.changes b/lirc.changes index 944c183..c91913c 100644 --- a/lirc.changes +++ b/lirc.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Sun Aug 8 01:55:41 UTC 2021 - Stanislav Brabec + +- Require typelib packages, otherwise lirc-setup fails to start. + ------------------------------------------------------------------- Sat Feb 20 11:09:50 UTC 2021 - Dirk Müller diff --git a/lirc.spec b/lirc.spec index 32b0c41..c6966b5 100644 --- a/lirc.spec +++ b/lirc.spec @@ -77,6 +77,9 @@ Group: Hardware/Other Requires(pre): shadow Provides: %{name} = %{version} Obsoletes: %{name} < %{version} +# Required by mvc_view.py from lirc-setup +Requires: typelib-1_0-Gtk-3_0 +Requires: typelib-1_0-Vte-2.91 %{?systemd_requires} %description core From 421901044220c92af754a3ae5118ef9fcb1498f7d4bd830cc822bb5c8b0e80eb Mon Sep 17 00:00:00 2001 From: Stefan Seyfried Date: Wed, 6 Oct 2021 06:33:50 +0000 Subject: [PATCH 2/3] Accepting request 923209 from home:dimstar:Factory - Revert "Require typelib packages": better to have rpm auto-detect them. - Add gobject-introspection BuildRequires to have the typelib dep scanner on board. OBS-URL: https://build.opensuse.org/request/show/923209 OBS-URL: https://build.opensuse.org/package/show/vdr/lirc?expand=0&rev=104 --- lirc.changes | 8 ++++++++ lirc.spec | 5 ++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/lirc.changes b/lirc.changes index c91913c..2e0d69d 100644 --- a/lirc.changes +++ b/lirc.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Oct 5 12:06:44 UTC 2021 - Dominique Leuenberger + +- Revert "Require typelib packages": better to have rpm auto-detect + them. +- Add gobject-introspection BuildRequires to have the typelib dep + scanner on board. + ------------------------------------------------------------------- Sun Aug 8 01:55:41 UTC 2021 - Stanislav Brabec diff --git a/lirc.spec b/lirc.spec index c6966b5..e74f207 100644 --- a/lirc.spec +++ b/lirc.spec @@ -34,6 +34,7 @@ Source1: baselibs.conf Patch0: reproducible.patch BuildRequires: fdupes BuildRequires: gcc-c++ +BuildRequires: gobject-introspection BuildRequires: kmod-compat BuildRequires: libxslt-tools # for hw_atilibusb driver @@ -77,9 +78,6 @@ Group: Hardware/Other Requires(pre): shadow Provides: %{name} = %{version} Obsoletes: %{name} < %{version} -# Required by mvc_view.py from lirc-setup -Requires: typelib-1_0-Gtk-3_0 -Requires: typelib-1_0-Vte-2.91 %{?systemd_requires} %description core @@ -254,6 +252,7 @@ rm -rf %{buildroot}/%{_datadir}/lirc/lirc-%{version}.tar.gz %{buildroot}/%{_data %postun -n liblirc_driver0 -p /sbin/ldconfig %postun -n liblirc0 -p /sbin/ldconfig %postun -n libirrecord0 -p /sbin/ldconfig + %pre core getent group lirc >/dev/null || groupadd -r lirc getent passwd lirc >/dev/null || \ From f9ba0e218ef1429425af4739f50617a4c278c321c35f9917a387f692d8453403 Mon Sep 17 00:00:00 2001 From: Stefan Seyfried Date: Wed, 6 Oct 2021 06:36:09 +0000 Subject: [PATCH 3/3] Accepting request 923297 from home:jsegitz:branches:systemdhardening:vdr Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/923297 OBS-URL: https://build.opensuse.org/package/show/vdr/lirc?expand=0&rev=105 --- harden_irexec.service.patch | 21 +++++++++++++++++++++ harden_lircd-uinput.service.patch | 21 +++++++++++++++++++++ harden_lircd.service.patch | 21 +++++++++++++++++++++ harden_lircmd.service.patch | 21 +++++++++++++++++++++ lirc.changes | 9 +++++++++ lirc.spec | 8 ++++++++ 6 files changed, 101 insertions(+) create mode 100644 harden_irexec.service.patch create mode 100644 harden_lircd-uinput.service.patch create mode 100644 harden_lircd.service.patch create mode 100644 harden_lircmd.service.patch diff --git a/harden_irexec.service.patch b/harden_irexec.service.patch new file mode 100644 index 0000000..a49a125 --- /dev/null +++ b/harden_irexec.service.patch @@ -0,0 +1,21 @@ +Index: lirc-0.10.1/systemd/irexec.service +=================================================================== +--- lirc-0.10.1.orig/systemd/irexec.service ++++ lirc-0.10.1/systemd/irexec.service +@@ -5,6 +5,16 @@ Documentation=http://lirc.org/html/confi + Description=Handle events from IR remotes decoded by lircd(8) + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + ; user=lirc + ; group=lirc + diff --git a/harden_lircd-uinput.service.patch b/harden_lircd-uinput.service.patch new file mode 100644 index 0000000..8c59376 --- /dev/null +++ b/harden_lircd-uinput.service.patch @@ -0,0 +1,21 @@ +Index: lirc-0.10.1/systemd/lircd-uinput.service +=================================================================== +--- lirc-0.10.1.orig/systemd/lircd-uinput.service ++++ lirc-0.10.1/systemd/lircd-uinput.service +@@ -5,6 +5,16 @@ Documentation=http://lirc.org/html/confi + Description=Forward LIRC button presses as uinput events + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=simple + ExecStart=/usr/sbin/lircd-uinput + ; user=lirc diff --git a/harden_lircd.service.patch b/harden_lircd.service.patch new file mode 100644 index 0000000..b2c9362 --- /dev/null +++ b/harden_lircd.service.patch @@ -0,0 +1,21 @@ +Index: lirc-0.10.1/systemd/lircd.service +=================================================================== +--- lirc-0.10.1.orig/systemd/lircd.service ++++ lirc-0.10.1/systemd/lircd.service +@@ -6,6 +6,16 @@ Wants=lircd-setup.service + After=network.target lircd-setup.service + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=simple + ExecStart=/usr/sbin/lircd --nodaemon + ; User=lirc diff --git a/harden_lircmd.service.patch b/harden_lircmd.service.patch new file mode 100644 index 0000000..b1a5527 --- /dev/null +++ b/harden_lircmd.service.patch @@ -0,0 +1,21 @@ +Index: lirc-0.10.1/systemd/lircmd.service +=================================================================== +--- lirc-0.10.1.orig/systemd/lircmd.service ++++ lirc-0.10.1/systemd/lircmd.service +@@ -5,6 +5,16 @@ Documentation=http://lirc.org/html/confi + Description=Convert IR remotes button presses to mouse movements and clicks + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=simple + ExecStart=/usr/sbin/lircmd --nodaemon + ; user=lirc diff --git a/lirc.changes b/lirc.changes index 2e0d69d..f7b76e6 100644 --- a/lirc.changes +++ b/lirc.changes @@ -6,6 +6,15 @@ Tue Oct 5 12:06:44 UTC 2021 - Dominique Leuenberger - Add gobject-introspection BuildRequires to have the typelib dep scanner on board. +------------------------------------------------------------------- +Tue Oct 5 11:43:13 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_irexec.service.patch + * harden_lircd-uinput.service.patch + * harden_lircd.service.patch + * harden_lircmd.service.patch + ------------------------------------------------------------------- Sun Aug 8 01:55:41 UTC 2021 - Stanislav Brabec diff --git a/lirc.spec b/lirc.spec index e74f207..f184ac3 100644 --- a/lirc.spec +++ b/lirc.spec @@ -32,6 +32,10 @@ URL: http://www.lirc.org/ Source0: https://downloads.sourceforge.net/project/lirc/LIRC/%{version}/lirc-%{version}.tar.bz2 Source1: baselibs.conf Patch0: reproducible.patch +Patch1: harden_irexec.service.patch +Patch2: harden_lircd-uinput.service.patch +Patch3: harden_lircd.service.patch +Patch4: harden_lircmd.service.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: gobject-introspection @@ -196,6 +200,10 @@ Some seldom used X11-based tools for debugging lirc configurations. # Don't provide or require anything from _docdir, per policy. %global __provides_exclude_from ^%{_docdir}/.*$ %global __requires_exclude_from ^%{_docdir}/.*$ +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 sed -i -e 's|/usr/local/etc/|%{_sysconfdir}/|' contrib/irman2lirc sed -i -e 's/#effective-user/effective-user /' lirc_options.conf