Accepting request 926696 from home:jsegitz:branches:systemdhardening:Base:System

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/926696 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=63
2021-10-29 12:59:42 +00:00 · 2021-10-29 12:59:42 +00:00 · 7325262251
commit 7325262251
parent 0d9814b3ce
3 changed files with 32 additions and 0 deletions
--- a/harden_pesign.service.patch
+++ b/harden_pesign.service.patch
@ -0,0 +1,24 @@
+Index: pesign-113/src/pesign.service.in
+===================================================================
+--- pesign-113.orig/src/pesign.service.in
+++ pesign-113/src/pesign.service.in
+@@ -3,6 +3,19 @@ Description=Pesign signing daemon
+ 
+ [Service]
+ PrivateTmp=true
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=forking
+ PIDFile=/run/pesign.pid
+ ExecStart=/usr/bin/pesign --daemonize
--- a/pesign.changes
+++ b/pesign.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Oct 19 05:58:37 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_pesign.service.patch
+
 -------------------------------------------------------------------
 Tue Jun  8 15:55:09 UTC 2021 - Wolfgang Frisch <wolfgang.frisch@suse.com>

--- a/pesign.spec
+++ b/pesign.spec
@ -40,6 +40,7 @@ Patch6:         pesign-boo1143063-remove-var-tracking.patch
 Patch7:         pesign-boo1158197-fix-pesigncheck-gcc10.patch
 # PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 glin@suse.com -- Set the rpm macro directory at build time
 Patch8:         pesign-boo1185663-set-rpmmacrodir.patch
+Patch9:         harden_pesign.service.patch
 BuildRequires:  efivar-devel
 BuildRequires:  libuuid-devel
 BuildRequires:  mozilla-nss-devel
@ -64,6 +65,7 @@ with the PE and Authenticode specifications.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1

 %build
 make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie"