Accepting request 928144 from server:monitoring

OBS-URL: https://build.opensuse.org/request/show/928144 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/loki?expand=0&rev=5
2021-10-29 20:34:40 +00:00 · 2021-10-29 20:34:40 +00:00 · c6bf95facb
commit c6bf95facb
parent 892fec9011 7ae04090b7
5 changed files with 58 additions and 0 deletions
--- a/harden_promtail.service.patch
+++ b/harden_promtail.service.patch
@ -0,0 +1,23 @@
+Index: loki-2.2.1+git.1617669398.babea82e/docs/sources/clients/aws/ec2/promtail.service
+===================================================================
+--- loki-2.2.1+git.1617669398.babea82e.orig/docs/sources/clients/aws/ec2/promtail.service
+++ loki-2.2.1+git.1617669398.babea82e/docs/sources/clients/aws/ec2/promtail.service
+@@ -1,6 +1,18 @@
+ [Unit]
+ Description=Promtail
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ User=root
+ WorkingDirectory=/opt/promtail/
+ ExecStartPre=/bin/sleep 30
--- a/loki.changes
+++ b/loki.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Oct  6 06:11:13 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_promtail.service.patch
+  Modified:
+  * loki.service
+  * promtail.service
+
 -------------------------------------------------------------------
 Fri Jun 25 08:58:58 UTC 2021 - Stefano Torresi <stefano.torresi@suse.com>

--- a/loki.service
+++ b/loki.service
@ -3,6 +3,18 @@ Description=Loki is a horizontally-scalable, highly-available, multi-tenant log
 Documentation=https://github.com/grafana/loki

 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Restart=always
 User=loki
 EnvironmentFile=-/etc/sysconfig/loki
--- a/loki.spec
+++ b/loki.spec
@ -28,6 +28,7 @@ Source1:        loki.service
 Source2:        promtail.service
 Source3:        sysconfig.loki
 Source4:        sysconfig.promtail
+Patch0:	harden_promtail.service.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  golang-packaging
 BuildRequires:  systemd-devel
@ -57,6 +58,7 @@ This package contains the Promtail client.

 %prep
 %setup -q %{name}-%{version}
+%patch0 -p1

 %build
 %define buildpkg github.com/grafana/loki/pkg/build
--- a/promtail.service
+++ b/promtail.service
@ -3,6 +3,18 @@ Description=promtail is the agent responsible for gathering logs and sending the
 Documentation=https://github.com/grafana/loki/blob/master/docs/promtail.md

 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Restart=always
 User=loki
 EnvironmentFile=-/etc/sysconfig/promtail