2a0da6d5f1
+ macros: drop %{_pesign_args} + Fix two bugs from package building + Fix bad free of cms data (DoS only) + Send pesign stdout/err to systemd journal + Add missing Install section + Add default packages for pkg-config + Short delay to ensure /run/pesign/socket exists + Resolve crash when signature that is removed is not the end of the list + Enhance error diagnostics about version mismatch + Upstream all Fedora changes + Add some hardening options to build + Add code of conduct + Fix build on gcc 12 and non-Fedora - Refresh patches + harden_pesign.service.patch + pesign-boo1143063-remove-var-tracking.patch + pesign-boo1185663-set-rpmmacrodir.patch + pesign-fix-authvar-write-loop.patch + pesign-suse-build.patch - Remove upstreamed/unnecessary patches + pesign-boo1158197-fix-pesigncheck-gcc10.patch + pesign-efikeygen-Fix-the-build-with-nss-3.44.patch + pesign-privkey_unneeded.diff + pesign-run.patch + Fix wrong oid offsets (bsc#1205323) OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=66
25 lines
787 B
Diff
25 lines
787 B
Diff
Index: pesign-115/src/pesign.service.in
|
|
===================================================================
|
|
--- pesign-115.orig/src/pesign.service.in
|
|
+++ pesign-115/src/pesign.service.in
|
|
@@ -3,6 +3,19 @@ Description=Pesign signing daemon
|
|
|
|
[Service]
|
|
PrivateTmp=true
|
|
+# added automatically, for details please see
|
|
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
|
+ProtectSystem=full
|
|
+ProtectHome=true
|
|
+PrivateDevices=true
|
|
+ProtectHostname=true
|
|
+ProtectClock=true
|
|
+ProtectKernelTunables=true
|
|
+ProtectKernelModules=true
|
|
+ProtectKernelLogs=true
|
|
+ProtectControlGroups=true
|
|
+RestrictRealtime=true
|
|
+# end of automatic additions
|
|
PIDFile=@@RUNDIR@@/pesign.pid
|
|
ExecStart=/usr/bin/pesign --daemonize --nofork
|
|
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
|