From 2dca86f45cdcee471f3591d20a27d0c3e5f0baffe367834e794368d7435b97e1 Mon Sep 17 00:00:00 2001 From: Hans-Peter Jansen Date: Mon, 22 May 2023 09:34:46 +0000 Subject: [PATCH] Accepting request 1084411 from home:jsegitz:branches:vdr - Remove ProtectClock hardening. This causes more pain then it helps (bsc#1200577) OBS-URL: https://build.opensuse.org/request/show/1084411 OBS-URL: https://build.opensuse.org/package/show/vdr/lirc?expand=0&rev=116 --- harden_irexec.service.patch | 3 +-- harden_lircd-uinput.service.patch | 3 +-- harden_lircd.service.patch | 12 +++++------- harden_lircmd.service.patch | 3 +-- lirc.changes | 6 ++++++ lirc.spec | 2 +- 6 files changed, 15 insertions(+), 14 deletions(-) diff --git a/harden_irexec.service.patch b/harden_irexec.service.patch index a49a125..68d42cd 100644 --- a/harden_irexec.service.patch +++ b/harden_irexec.service.patch @@ -2,14 +2,13 @@ Index: lirc-0.10.1/systemd/irexec.service =================================================================== --- lirc-0.10.1.orig/systemd/irexec.service +++ lirc-0.10.1/systemd/irexec.service -@@ -5,6 +5,16 @@ Documentation=http://lirc.org/html/confi +@@ -5,6 +5,15 @@ Documentation=http://lirc.org/html/confi Description=Handle events from IR remotes decoded by lircd(8) [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true -+ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true diff --git a/harden_lircd-uinput.service.patch b/harden_lircd-uinput.service.patch index 8c59376..5c678f7 100644 --- a/harden_lircd-uinput.service.patch +++ b/harden_lircd-uinput.service.patch @@ -2,14 +2,13 @@ Index: lirc-0.10.1/systemd/lircd-uinput.service =================================================================== --- lirc-0.10.1.orig/systemd/lircd-uinput.service +++ lirc-0.10.1/systemd/lircd-uinput.service -@@ -5,6 +5,16 @@ Documentation=http://lirc.org/html/confi +@@ -5,6 +5,15 @@ Documentation=http://lirc.org/html/confi Description=Forward LIRC button presses as uinput events [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true -+ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true diff --git a/harden_lircd.service.patch b/harden_lircd.service.patch index 807db2b..1681538 100644 --- a/harden_lircd.service.patch +++ b/harden_lircd.service.patch @@ -1,22 +1,20 @@ ---- lirc-0.10.1.orig/systemd/lircd.service 2021-11-13 20:42:43.204519438 +0100 -+++ lirc-0.10.1/systemd/lircd.service 2021-11-13 20:47:54.182189779 +0100 -@@ -6,6 +6,20 @@ Wants=lircd-setup.service +Index: lirc-0.10.1/systemd/lircd.service +=================================================================== +--- lirc-0.10.1.orig/systemd/lircd.service ++++ lirc-0.10.1/systemd/lircd.service +@@ -6,6 +6,16 @@ Wants=lircd-setup.service After=network.target lircd-setup.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true -+ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions -+# -+# ProtectClock=true from above blocks all device accesses, allow input device access again -+DeviceAllow=char-input +# Type=simple ExecStart=/usr/sbin/lircd --nodaemon diff --git a/harden_lircmd.service.patch b/harden_lircmd.service.patch index b1a5527..5590f55 100644 --- a/harden_lircmd.service.patch +++ b/harden_lircmd.service.patch @@ -2,14 +2,13 @@ Index: lirc-0.10.1/systemd/lircmd.service =================================================================== --- lirc-0.10.1.orig/systemd/lircmd.service +++ lirc-0.10.1/systemd/lircmd.service -@@ -5,6 +5,16 @@ Documentation=http://lirc.org/html/confi +@@ -5,6 +5,15 @@ Documentation=http://lirc.org/html/confi Description=Convert IR remotes button presses to mouse movements and clicks [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true -+ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true diff --git a/lirc.changes b/lirc.changes index 68e5b50..f423977 100644 --- a/lirc.changes +++ b/lirc.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed May 3 14:13:16 UTC 2023 - Johannes Segitz + +- Remove ProtectClock hardening. This causes more pain then it + helps (bsc#1200577) + ------------------------------------------------------------------- Sun Jul 24 17:36:52 UTC 2022 - Andreas Schwab diff --git a/lirc.spec b/lirc.spec index 8097c59..491c1fb 100644 --- a/lirc.spec +++ b/lirc.spec @@ -1,7 +1,7 @@ # # spec file for package lirc # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed