2a0da6d5f1
+ macros: drop %{_pesign_args}
+ Fix two bugs from package building
+ Fix bad free of cms data (DoS only)
+ Send pesign stdout/err to systemd journal
+ Add missing Install section
+ Add default packages for pkg-config
+ Short delay to ensure /run/pesign/socket exists
+ Resolve crash when signature that is removed is not the end of
the list
+ Enhance error diagnostics about version mismatch
+ Upstream all Fedora changes
+ Add some hardening options to build
+ Add code of conduct
+ Fix build on gcc 12 and non-Fedora
- Refresh patches
+ harden_pesign.service.patch
+ pesign-boo1143063-remove-var-tracking.patch
+ pesign-boo1185663-set-rpmmacrodir.patch
+ pesign-fix-authvar-write-loop.patch
+ pesign-suse-build.patch
- Remove upstreamed/unnecessary patches
+ pesign-boo1158197-fix-pesigncheck-gcc10.patch
+ pesign-efikeygen-Fix-the-build-with-nss-3.44.patch
+ pesign-privkey_unneeded.diff
+ pesign-run.patch
+ Fix wrong oid offsets (bsc#1205323)
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=66
25 lines
787 B
Diff
25 lines
787 B
Diff
Index: pesign-115/src/pesign.service.in
|
|
===================================================================
|
|
--- pesign-115.orig/src/pesign.service.in
|
|
+++ pesign-115/src/pesign.service.in
|
|
@@ -3,6 +3,19 @@ Description=Pesign signing daemon
|
|
|
|
[Service]
|
|
PrivateTmp=true
|
|
+# added automatically, for details please see
|
|
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
|
+ProtectSystem=full
|
|
+ProtectHome=true
|
|
+PrivateDevices=true
|
|
+ProtectHostname=true
|
|
+ProtectClock=true
|
|
+ProtectKernelTunables=true
|
|
+ProtectKernelModules=true
|
|
+ProtectKernelLogs=true
|
|
+ProtectControlGroups=true
|
|
+RestrictRealtime=true
|
|
+# end of automatic additions
|
|
PIDFile=@@RUNDIR@@/pesign.pid
|
|
ExecStart=/usr/bin/pesign --daemonize --nofork
|
|
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
|