From fad872c73be8c439cdc003c33181beed5d62e70d0a4afad5a5cc6362b9c58411 Mon Sep 17 00:00:00 2001 From: Guillaume GARDET Date: Tue, 21 Dec 2021 15:09:55 +0000 Subject: [PATCH 1/3] Accepting request 925351 from home:jsegitz:branches:systemdhardening:security Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/925351 OBS-URL: https://build.opensuse.org/package/show/security/parsec?expand=0&rev=16 --- harden_parsec.service.patch | 22 ++++++++++++++++++++++ parsec.changes | 8 ++++++++ parsec.service | 11 +++++++++++ parsec.spec | 2 ++ 4 files changed, 43 insertions(+) create mode 100644 harden_parsec.service.patch diff --git a/harden_parsec.service.patch b/harden_parsec.service.patch new file mode 100644 index 0000000..d8bb41d --- /dev/null +++ b/harden_parsec.service.patch @@ -0,0 +1,22 @@ +Index: parsec-0.8.0/systemd-daemon/parsec.service +=================================================================== +--- parsec-0.8.0.orig/systemd-daemon/parsec.service ++++ parsec-0.8.0/systemd-daemon/parsec.service +@@ -3,6 +3,17 @@ Description=Parsec Service + Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + WorkingDirectory=/home/parsec/ + ExecStart=/usr/libexec/parsec/parsec --config /etc/parsec/config.toml + diff --git a/parsec.changes b/parsec.changes index 3bb6b50..7b1c196 100644 --- a/parsec.changes +++ b/parsec.changes @@ -4,6 +4,14 @@ Thu Dec 9 11:05:48 UTC 2021 - Guillaume GARDET - Fix /run/parsec permission to 755. This is enough for all users to access the service - boo#1193484 - CVE-2021-36781 +------------------------------------------------------------------- +Fri Oct 15 07:01:37 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_parsec.service.patch + Modified: + * parsec.service + ------------------------------------------------------------------- Mon Sep 27 10:18:08 UTC 2021 - Guillaume GARDET diff --git a/parsec.service b/parsec.service index 0e708c1..96ec679 100644 --- a/parsec.service +++ b/parsec.service @@ -3,6 +3,17 @@ Description=Parsec Service Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=notify KillMode=process Restart=on-failure diff --git a/parsec.spec b/parsec.spec index 57eb534..08b567c 100644 --- a/parsec.spec +++ b/parsec.spec @@ -33,6 +33,7 @@ Source4: config.toml Source5: parsec.conf Source6: system-user-parsec.conf Source10: https://git.trustedfirmware.org/TS/trusted-services.git/snapshot/trusted-services-c1cf912.tar.gz +Patch0: harden_parsec.service.patch BuildRequires: cargo BuildRequires: clang-devel BuildRequires: cmake @@ -75,6 +76,7 @@ sed -i -e 's#default = \["unix-peer-credentials-authenticator"\]##' Cargo.toml # all-authenticators = ["direct-authenticator", "unix-peer-credentials-authenticator", "jwt-svid-authenticator"] # But disable "trusted-service-provider" until we have a trusted-services package echo 'default = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider", "cryptoauthlib-provider", "all-authenticators"]' >> Cargo.toml +%patch0 -p1 %build export PROTOC=%{_bindir}/protoc From d532b0994346c7debb7819b3115e376492509ba773845f28e3f5abdcc0a0e7a8 Mon Sep 17 00:00:00 2001 From: Guillaume GARDET Date: Tue, 21 Dec 2021 15:15:55 +0000 Subject: [PATCH 2/3] OBS-URL: https://build.opensuse.org/package/show/security/parsec?expand=0&rev=17 --- parsec.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/parsec.spec b/parsec.spec index 08b567c..b15b239 100644 --- a/parsec.spec +++ b/parsec.spec @@ -33,7 +33,8 @@ Source4: config.toml Source5: parsec.conf Source6: system-user-parsec.conf Source10: https://git.trustedfirmware.org/TS/trusted-services.git/snapshot/trusted-services-c1cf912.tar.gz -Patch0: harden_parsec.service.patch +# PATCH-FIX-UPSTREAM - https://github.com/parallaxsecond/parsec/issues/569 +Patch0: harden_parsec.service.patch BuildRequires: cargo BuildRequires: clang-devel BuildRequires: cmake From f1f6febe17afe433c8753d78f7f04fe15c344e924dc93a7511bcbaf825fec334 Mon Sep 17 00:00:00 2001 From: Guillaume GARDET Date: Tue, 21 Dec 2021 15:16:33 +0000 Subject: [PATCH 3/3] OBS-URL: https://build.opensuse.org/package/show/security/parsec?expand=0&rev=18 --- parsec.changes | 1 + 1 file changed, 1 insertion(+) diff --git a/parsec.changes b/parsec.changes index 7b1c196..a6384a8 100644 --- a/parsec.changes +++ b/parsec.changes @@ -11,6 +11,7 @@ Fri Oct 15 07:01:37 UTC 2021 - Johannes Segitz * harden_parsec.service.patch Modified: * parsec.service + * Upstream submission: https://github.com/parallaxsecond/parsec/issues/569 ------------------------------------------------------------------- Mon Sep 27 10:18:08 UTC 2021 - Guillaume GARDET