From 369d376210b07c26e1d59a4c54f3b1a3645f06fd62c06624eeb1262670c5e6d0 Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Wed, 6 Oct 2021 14:25:18 +0000 Subject: [PATCH] Accepting request 923524 from home:jsegitz:branches:systemdhardening:Base:System Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/923524 OBS-URL: https://build.opensuse.org/package/show/Base:System/man?expand=0&rev=128 --- harden_man-db.service.patch | 24 ++++++++++++++++++++++++ man-db-create.service | 13 +++++++++++++ man.changes | 8 ++++++++ man.spec | 2 ++ 4 files changed, 47 insertions(+) create mode 100644 harden_man-db.service.patch diff --git a/harden_man-db.service.patch b/harden_man-db.service.patch new file mode 100644 index 0000000..66270d7 --- /dev/null +++ b/harden_man-db.service.patch @@ -0,0 +1,24 @@ +Index: man-db-2.9.4/init/systemd/man-db.service.in +=================================================================== +--- man-db-2.9.4.orig/init/systemd/man-db.service.in ++++ man-db-2.9.4/init/systemd/man-db.service.in +@@ -4,6 +4,19 @@ Documentation=man:mandb(8) + ConditionACPower=true + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=oneshot + # Recover from deletion, per FHS. + ExecStart=+/usr/bin/install -d -o @cache_top_owner@ -g @cache_top_owner@ -m 0755 /var/cache/man diff --git a/man-db-create.service b/man-db-create.service index 43418bd..d6bc7df 100644 --- a/man-db-create.service +++ b/man-db-create.service @@ -8,6 +8,19 @@ ConditionPathExists=/var/cache/man ConditionPathExists=!/var/cache/man/index.db [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/mandb --quiet --create diff --git a/man.changes b/man.changes index 28b42e6..d7963d4 100644 --- a/man.changes +++ b/man.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Oct 6 11:41:21 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_man-db.service.patch + Modified: + * man-db-create.service + ------------------------------------------------------------------- Fri Aug 6 13:38:49 UTC 2021 - Dr. Werner Fink diff --git a/man.spec b/man.spec index a04d645..0e30284 100644 --- a/man.spec +++ b/man.spec @@ -57,6 +57,7 @@ Patch8: man-db-2.9.4.patch # PATCH-FEATURE-OPENSUSE -- Add documentation about man0 section (header files) Patch9: man-db-2.6.3-man0.dif Patch10: man-db-2.9.4-alternitive.dif +Patch11: harden_man-db.service.patch BuildRequires: automake BuildRequires: flex BuildRequires: gdbm-devel @@ -110,6 +111,7 @@ printer (using groff). %patch9 -b .s10 %patch10 -b .libalernative rm -f configure +%patch11 -p1 %build %global optflags %{optflags} -funroll-loops -pipe -Wall