From 7325262251218dd8fd64d62bdf0f87333f00cbf2e6426b305d4e01d5d5c5db1c Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Fri, 29 Oct 2021 12:59:42 +0000 Subject: [PATCH] Accepting request 926696 from home:jsegitz:branches:systemdhardening:Base:System Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/926696 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=63 --- harden_pesign.service.patch | 24 ++++++++++++++++++++++++ pesign.changes | 6 ++++++ pesign.spec | 2 ++ 3 files changed, 32 insertions(+) create mode 100644 harden_pesign.service.patch diff --git a/harden_pesign.service.patch b/harden_pesign.service.patch new file mode 100644 index 0000000..835ec42 --- /dev/null +++ b/harden_pesign.service.patch @@ -0,0 +1,24 @@ +Index: pesign-113/src/pesign.service.in +=================================================================== +--- pesign-113.orig/src/pesign.service.in ++++ pesign-113/src/pesign.service.in +@@ -3,6 +3,19 @@ Description=Pesign signing daemon + + [Service] + PrivateTmp=true ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=forking + PIDFile=/run/pesign.pid + ExecStart=/usr/bin/pesign --daemonize diff --git a/pesign.changes b/pesign.changes index 0e7e26f..6dc2fae 100644 --- a/pesign.changes +++ b/pesign.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Oct 19 05:58:37 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_pesign.service.patch + ------------------------------------------------------------------- Tue Jun 8 15:55:09 UTC 2021 - Wolfgang Frisch diff --git a/pesign.spec b/pesign.spec index e5ec23f..169e159 100644 --- a/pesign.spec +++ b/pesign.spec @@ -40,6 +40,7 @@ Patch6: pesign-boo1143063-remove-var-tracking.patch Patch7: pesign-boo1158197-fix-pesigncheck-gcc10.patch # PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 glin@suse.com -- Set the rpm macro directory at build time Patch8: pesign-boo1185663-set-rpmmacrodir.patch +Patch9: harden_pesign.service.patch BuildRequires: efivar-devel BuildRequires: libuuid-devel BuildRequires: mozilla-nss-devel @@ -64,6 +65,7 @@ with the PE and Authenticode specifications. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %build make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie"