diff --git a/harden_pesign.service.patch b/harden_pesign.service.patch new file mode 100644 index 0000000..835ec42 --- /dev/null +++ b/harden_pesign.service.patch @@ -0,0 +1,24 @@ +Index: pesign-113/src/pesign.service.in +=================================================================== +--- pesign-113.orig/src/pesign.service.in ++++ pesign-113/src/pesign.service.in +@@ -3,6 +3,19 @@ Description=Pesign signing daemon + + [Service] + PrivateTmp=true ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=forking + PIDFile=/run/pesign.pid + ExecStart=/usr/bin/pesign --daemonize diff --git a/pesign.changes b/pesign.changes index 0e7e26f..6dc2fae 100644 --- a/pesign.changes +++ b/pesign.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Oct 19 05:58:37 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_pesign.service.patch + ------------------------------------------------------------------- Tue Jun 8 15:55:09 UTC 2021 - Wolfgang Frisch diff --git a/pesign.spec b/pesign.spec index e5ec23f..169e159 100644 --- a/pesign.spec +++ b/pesign.spec @@ -40,6 +40,7 @@ Patch6: pesign-boo1143063-remove-var-tracking.patch Patch7: pesign-boo1158197-fix-pesigncheck-gcc10.patch # PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 glin@suse.com -- Set the rpm macro directory at build time Patch8: pesign-boo1185663-set-rpmmacrodir.patch +Patch9: harden_pesign.service.patch BuildRequires: efivar-devel BuildRequires: libuuid-devel BuildRequires: mozilla-nss-devel @@ -64,6 +65,7 @@ with the PE and Authenticode specifications. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %build make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie"