Accepting request 941864 from security

- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
  * harden_parsec.service.patch
  Modified:
  * parsec.service
  * Upstream submission: https://github.com/parallaxsecond/parsec/issues/569

OBS-URL: https://build.opensuse.org/request/show/941864
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/parsec?expand=0&rev=9

harden_parsec.service.patch

@@ -0,0 +1,22 @@
+Index: parsec-0.8.0/systemd-daemon/parsec.service
+===================================================================
+--- parsec-0.8.0.orig/systemd-daemon/parsec.service
++++ parsec-0.8.0/systemd-daemon/parsec.service
+@@ -3,6 +3,17 @@ Description=Parsec Service
+ Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ WorkingDirectory=/home/parsec/
+ ExecStart=/usr/libexec/parsec/parsec --config /etc/parsec/config.toml
+ 

parsec.changes

@@ -4,6 +4,15 @@ Thu Dec  9 11:05:48 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org>
 - Fix /run/parsec permission to 755. This is enough for all
   users to access the service - boo#1193484 - CVE-2021-36781
 
+-------------------------------------------------------------------
+Fri Oct 15 07:01:37 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_parsec.service.patch
+  Modified:
+  * parsec.service
+  * Upstream submission: https://github.com/parallaxsecond/parsec/issues/569
+
 -------------------------------------------------------------------
 Mon Sep 27 10:18:08 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org>
 

parsec.service

@@ -3,6 +3,17 @@ Description=Parsec Service
 Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=notify
 KillMode=process
 Restart=on-failure

parsec.spec

@@ -33,6 +33,8 @@ Source4:        config.toml
 Source5:        parsec.conf
 Source6:        system-user-parsec.conf
 Source10:       https://git.trustedfirmware.org/TS/trusted-services.git/snapshot/trusted-services-c1cf912.tar.gz
+# PATCH-FIX-UPSTREAM - https://github.com/parallaxsecond/parsec/issues/569
+Patch0:         harden_parsec.service.patch
 BuildRequires:  cargo
 BuildRequires:  clang-devel
 BuildRequires:  cmake
@@ -75,6 +77,7 @@ sed -i -e 's#default = \["unix-peer-credentials-authenticator"\]##' Cargo.toml
 # all-authenticators = ["direct-authenticator", "unix-peer-credentials-authenticator", "jwt-svid-authenticator"]
 # But disable "trusted-service-provider" until we have a trusted-services package
 echo 'default = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider", "cryptoauthlib-provider", "all-authenticators"]' >> Cargo.toml
+%patch0 -p1
 
 %build
 export PROTOC=%{_bindir}/protoc