diff --git a/harden_irexec.service.patch b/harden_irexec.service.patch new file mode 100644 index 0000000..a49a125 --- /dev/null +++ b/harden_irexec.service.patch @@ -0,0 +1,21 @@ +Index: lirc-0.10.1/systemd/irexec.service +=================================================================== +--- lirc-0.10.1.orig/systemd/irexec.service ++++ lirc-0.10.1/systemd/irexec.service +@@ -5,6 +5,16 @@ Documentation=http://lirc.org/html/confi + Description=Handle events from IR remotes decoded by lircd(8) + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + ; user=lirc + ; group=lirc + diff --git a/harden_lircd-uinput.service.patch b/harden_lircd-uinput.service.patch new file mode 100644 index 0000000..8c59376 --- /dev/null +++ b/harden_lircd-uinput.service.patch @@ -0,0 +1,21 @@ +Index: lirc-0.10.1/systemd/lircd-uinput.service +=================================================================== +--- lirc-0.10.1.orig/systemd/lircd-uinput.service ++++ lirc-0.10.1/systemd/lircd-uinput.service +@@ -5,6 +5,16 @@ Documentation=http://lirc.org/html/confi + Description=Forward LIRC button presses as uinput events + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=simple + ExecStart=/usr/sbin/lircd-uinput + ; user=lirc diff --git a/harden_lircd.service.patch b/harden_lircd.service.patch new file mode 100644 index 0000000..b2c9362 --- /dev/null +++ b/harden_lircd.service.patch @@ -0,0 +1,21 @@ +Index: lirc-0.10.1/systemd/lircd.service +=================================================================== +--- lirc-0.10.1.orig/systemd/lircd.service ++++ lirc-0.10.1/systemd/lircd.service +@@ -6,6 +6,16 @@ Wants=lircd-setup.service + After=network.target lircd-setup.service + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=simple + ExecStart=/usr/sbin/lircd --nodaemon + ; User=lirc diff --git a/harden_lircmd.service.patch b/harden_lircmd.service.patch new file mode 100644 index 0000000..b1a5527 --- /dev/null +++ b/harden_lircmd.service.patch @@ -0,0 +1,21 @@ +Index: lirc-0.10.1/systemd/lircmd.service +=================================================================== +--- lirc-0.10.1.orig/systemd/lircmd.service ++++ lirc-0.10.1/systemd/lircmd.service +@@ -5,6 +5,16 @@ Documentation=http://lirc.org/html/confi + Description=Convert IR remotes button presses to mouse movements and clicks + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=simple + ExecStart=/usr/sbin/lircmd --nodaemon + ; user=lirc diff --git a/lirc.changes b/lirc.changes index 2e0d69d..f7b76e6 100644 --- a/lirc.changes +++ b/lirc.changes @@ -6,6 +6,15 @@ Tue Oct 5 12:06:44 UTC 2021 - Dominique Leuenberger - Add gobject-introspection BuildRequires to have the typelib dep scanner on board. +------------------------------------------------------------------- +Tue Oct 5 11:43:13 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_irexec.service.patch + * harden_lircd-uinput.service.patch + * harden_lircd.service.patch + * harden_lircmd.service.patch + ------------------------------------------------------------------- Sun Aug 8 01:55:41 UTC 2021 - Stanislav Brabec diff --git a/lirc.spec b/lirc.spec index e74f207..f184ac3 100644 --- a/lirc.spec +++ b/lirc.spec @@ -32,6 +32,10 @@ URL: http://www.lirc.org/ Source0: https://downloads.sourceforge.net/project/lirc/LIRC/%{version}/lirc-%{version}.tar.bz2 Source1: baselibs.conf Patch0: reproducible.patch +Patch1: harden_irexec.service.patch +Patch2: harden_lircd-uinput.service.patch +Patch3: harden_lircd.service.patch +Patch4: harden_lircmd.service.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: gobject-introspection @@ -196,6 +200,10 @@ Some seldom used X11-based tools for debugging lirc configurations. # Don't provide or require anything from _docdir, per policy. %global __provides_exclude_from ^%{_docdir}/.*$ %global __requires_exclude_from ^%{_docdir}/.*$ +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 sed -i -e 's|/usr/local/etc/|%{_sysconfdir}/|' contrib/irman2lirc sed -i -e 's/#effective-user/effective-user /' lirc_options.conf