Accepting request 925370 from home:jsegitz:branches:systemdhardening:hardware

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/925370
OBS-URL: https://build.opensuse.org/package/show/hardware/nut?expand=0&rev=96

harden_nut-driver.service.patch

@@ -0,0 +1,22 @@
+Index: nut-2.7.4/scripts/systemd/nut-driver.service.in
+===================================================================
+--- nut-2.7.4.orig/scripts/systemd/nut-driver.service.in
++++ nut-2.7.4/scripts/systemd/nut-driver.service.in
+@@ -4,6 +4,17 @@ After=local-fs.target network.target
+ StopWhenUnneeded=yes
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ ExecStart=@SBINDIR@/upsdrvctl start
+ ExecStop=@SBINDIR@/upsdrvctl stop
+ Type=forking

harden_nut-monitor.service.patch

@@ -0,0 +1,22 @@
+Index: nut-2.7.4/scripts/systemd/nut-monitor.service.in
+===================================================================
+--- nut-2.7.4.orig/scripts/systemd/nut-monitor.service.in
++++ nut-2.7.4/scripts/systemd/nut-monitor.service.in
+@@ -3,6 +3,17 @@ Description=Network UPS Tools - power de
+ After=local-fs.target network.target nut-server.service
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ ExecStart=@SBINDIR@/upsmon
+ PIDFile=@PIDPATH@/upsmon.pid
+ Type=forking

harden_nut-server.service.patch

@@ -0,0 +1,22 @@
+Index: nut-2.7.4/scripts/systemd/nut-server.service.in
+===================================================================
+--- nut-2.7.4.orig/scripts/systemd/nut-server.service.in
++++ nut-2.7.4/scripts/systemd/nut-server.service.in
+@@ -8,6 +8,17 @@ Wants=nut-driver.service
+ Before=nut-monitor.service
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ ExecStart=@SBINDIR@/upsd 
+ Type=forking
+ 

nut.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Oct 15 07:26:53 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_nut-driver.service.patch
+  * harden_nut-monitor.service.patch
+  * harden_nut-server.service.patch
+
 -------------------------------------------------------------------
 Sun Jun 27 11:43:12 UTC 2021 - Arjen de Korte <suse+build@de-korte.org>
 

nut.spec

@@ -59,6 +59,9 @@ Patch11:        openssl-1_1.patch
 Patch12:        nut-upssched.patch
 Patch13:        reproducible.patch
 Patch14:        nutscanner-ftbfs.patch
+Patch15:	harden_nut-driver.service.patch
+Patch16:	harden_nut-monitor.service.patch
+Patch17:	harden_nut-server.service.patch
 BuildRequires:  apache-rpm-macros
 BuildRequires:  asciidoc
 BuildRequires:  avahi-devel
@@ -178,6 +181,9 @@ cp -a %{SOURCE2} %{SOURCE6} %{SOURCE7} .
 %patch13 -p1
 %patch14 -p1
 sed -i s/@now@/`date -r ChangeLog +%%Y-%%m-%%d`/g docs/docinfo.xml.in
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
 
 sed -i s:%{_prefix}/local/ups/bin:/bin: conf/upssched.conf.sample.in