Accepting request 923531 from home:jsegitz:branches:systemdhardening:network:utilities

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/923531 OBS-URL: https://build.opensuse.org/package/show/network:utilities/memcached?expand=0&rev=86
2021-10-29 14:02:17 +00:00 · 2021-10-29 14:02:17 +00:00 · 75e05f09fb
commit 75e05f09fb
parent b7f4d01d9c
4 changed files with 41 additions and 0 deletions
--- a/harden_memcached.service.patch
+++ b/harden_memcached.service.patch
@ -0,0 +1,18 @@
+Index: memcached-1.6.9/scripts/memcached.service
+===================================================================
+--- memcached-1.6.9.orig/scripts/memcached.service
+++ memcached-1.6.9/scripts/memcached.service
+@@ -41,6 +41,13 @@ CapabilityBoundingSet=CAP_SETGID CAP_SET
+ # Restricts the set of socket address families accessible to the processes
+ # of this unit. Protects against vulnerabilities such as CVE-2016-8655
+ RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelLogs=true
+# end of automatic additions 
+ 
+ 
+ # Some security features are not in the older versions of systemd used by
--- a/memcached.changes
+++ b/memcached.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Oct  6 12:01:19 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_memcached.service.patch
+  Modified:
+  * memcached.service
+
 -------------------------------------------------------------------
 Fri Jun  4 13:18:29 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>

--- a/memcached.service
+++ b/memcached.service
@ -3,6 +3,19 @@ Description=memcached daemon
 After=network.target

 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 EnvironmentFile=/etc/sysconfig/memcached
 ExecStart=/usr/sbin/memcached -u $MEMCACHED_USER $MEMCACHED_PARAMS

--- a/memcached.spec
+++ b/memcached.spec
@ -40,6 +40,7 @@ Source2:        %{name}.sysconfig
 Source3:        memcached-rpmlintrc
 Source4:        memcached.service
 Source5:        system-user-memcached.conf
+Patch0:	harden_memcached.service.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  cyrus-sasl-devel
@ -87,6 +88,7 @@ This package contains development files

 %prep
 %setup -q
+%patch0 -p1

 %build
 autoreconf -fi