From 22a7b88d913bab94f12209dc7467064e1e5c281955e6bdf21883118c4d2fbc0f Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Tue, 26 Oct 2021 06:35:12 +0000 Subject: [PATCH 1/4] Accepting request 926705 from home:jsegitz:branches:systemdhardening:multimedia:libs Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/926705 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/pulseaudio?expand=0&rev=245 --- harden_pulseaudio.service.patch | 24 ++++++++++++++++++++++++ pulseaudio.changes | 8 ++++++++ pulseaudio.service | 13 +++++++++++++ pulseaudio.spec | 2 ++ 4 files changed, 47 insertions(+) create mode 100644 harden_pulseaudio.service.patch diff --git a/harden_pulseaudio.service.patch b/harden_pulseaudio.service.patch new file mode 100644 index 0000000..4683b58 --- /dev/null +++ b/harden_pulseaudio.service.patch @@ -0,0 +1,24 @@ +Index: pulseaudio-15.0/src/daemon/systemd/user/pulseaudio.service.in +=================================================================== +--- pulseaudio-15.0.orig/src/daemon/systemd/user/pulseaudio.service.in ++++ pulseaudio-15.0/src/daemon/systemd/user/pulseaudio.service.in +@@ -23,6 +23,19 @@ MemoryDenyWriteExecute=yes + NoNewPrivileges=yes + Restart=on-failure + RestrictNamespaces=yes ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=read-only ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + SystemCallArchitectures=native + SystemCallFilter=@system-service + # Note that notify will only work if --daemonize=no diff --git a/pulseaudio.changes b/pulseaudio.changes index fba5d43..1ca4f74 100644 --- a/pulseaudio.changes +++ b/pulseaudio.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Oct 20 14:37:33 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_pulseaudio.service.patch + Modified: + * pulseaudio.service + ------------------------------------------------------------------- Fri Oct 8 10:56:52 UTC 2021 - Jan Engelhardt diff --git a/pulseaudio.service b/pulseaudio.service index be0439a..0685f27 100644 --- a/pulseaudio.service +++ b/pulseaudio.service @@ -3,6 +3,19 @@ Description=System wide PulseAudio instance After=syslog.target network.target alsasound.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=read-only +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=simple Restart=always ExecStart=/usr/bin/pulseaudio --system --log-target=journal diff --git a/pulseaudio.spec b/pulseaudio.spec index 4cb0b13..38ced8d 100644 --- a/pulseaudio.spec +++ b/pulseaudio.spec @@ -53,6 +53,7 @@ Patch1: suppress-socket-error-msg.diff Patch5: qpaeq-shebang.patch # PATCH-FIX-OPENSUSE Workaround for old systemd on Leap 15.x Patch6: pulseaudio-old-systemd-workaround.patch +Patch7: harden_pulseaudio.service.patch BuildRequires: alsa-devel >= 1.0.19 BuildRequires: bluez-devel >= 5 BuildRequires: fdupes @@ -334,6 +335,7 @@ System user for PulseAudio %if 0%{?suse_version} < 1550 %patch6 -p1 %endif +%patch7 -p1 %build %meson \ From a3c5dd1800a93ab688359d81b2f6fb2ffa65969125238d486b2d08cace55ee19 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Thu, 28 Oct 2021 12:17:47 +0000 Subject: [PATCH 2/4] Accepting request 927939 from home:tiwai:branches:multimedia:libs - Revert the previous change, as it turned out to be broken; Drop harden_pulseaudio.service.patch OBS-URL: https://build.opensuse.org/request/show/927939 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/pulseaudio?expand=0&rev=246 --- harden_pulseaudio.service.patch | 24 ------------------------ pulseaudio.changes | 6 ++++++ pulseaudio.service | 13 ------------- pulseaudio.spec | 2 -- 4 files changed, 6 insertions(+), 39 deletions(-) delete mode 100644 harden_pulseaudio.service.patch diff --git a/harden_pulseaudio.service.patch b/harden_pulseaudio.service.patch deleted file mode 100644 index 4683b58..0000000 --- a/harden_pulseaudio.service.patch +++ /dev/null @@ -1,24 +0,0 @@ -Index: pulseaudio-15.0/src/daemon/systemd/user/pulseaudio.service.in -=================================================================== ---- pulseaudio-15.0.orig/src/daemon/systemd/user/pulseaudio.service.in -+++ pulseaudio-15.0/src/daemon/systemd/user/pulseaudio.service.in -@@ -23,6 +23,19 @@ MemoryDenyWriteExecute=yes - NoNewPrivileges=yes - Restart=on-failure - RestrictNamespaces=yes -+# added automatically, for details please see -+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort -+ProtectSystem=full -+ProtectHome=read-only -+PrivateDevices=true -+ProtectHostname=true -+ProtectClock=true -+ProtectKernelTunables=true -+ProtectKernelModules=true -+ProtectKernelLogs=true -+ProtectControlGroups=true -+RestrictRealtime=true -+# end of automatic additions - SystemCallArchitectures=native - SystemCallFilter=@system-service - # Note that notify will only work if --daemonize=no diff --git a/pulseaudio.changes b/pulseaudio.changes index 1ca4f74..4a619f1 100644 --- a/pulseaudio.changes +++ b/pulseaudio.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Oct 28 14:14:55 CEST 2021 - tiwai@suse.de + +- Revert the previous change, as it turned out to be broken; + Drop harden_pulseaudio.service.patch + ------------------------------------------------------------------- Wed Oct 20 14:37:33 UTC 2021 - Johannes Segitz diff --git a/pulseaudio.service b/pulseaudio.service index 0685f27..be0439a 100644 --- a/pulseaudio.service +++ b/pulseaudio.service @@ -3,19 +3,6 @@ Description=System wide PulseAudio instance After=syslog.target network.target alsasound.service [Service] -# added automatically, for details please see -# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort -ProtectSystem=full -ProtectHome=read-only -PrivateDevices=true -ProtectHostname=true -ProtectClock=true -ProtectKernelTunables=true -ProtectKernelModules=true -ProtectKernelLogs=true -ProtectControlGroups=true -RestrictRealtime=true -# end of automatic additions Type=simple Restart=always ExecStart=/usr/bin/pulseaudio --system --log-target=journal diff --git a/pulseaudio.spec b/pulseaudio.spec index 38ced8d..4cb0b13 100644 --- a/pulseaudio.spec +++ b/pulseaudio.spec @@ -53,7 +53,6 @@ Patch1: suppress-socket-error-msg.diff Patch5: qpaeq-shebang.patch # PATCH-FIX-OPENSUSE Workaround for old systemd on Leap 15.x Patch6: pulseaudio-old-systemd-workaround.patch -Patch7: harden_pulseaudio.service.patch BuildRequires: alsa-devel >= 1.0.19 BuildRequires: bluez-devel >= 5 BuildRequires: fdupes @@ -335,7 +334,6 @@ System user for PulseAudio %if 0%{?suse_version} < 1550 %patch6 -p1 %endif -%patch7 -p1 %build %meson \ From adf441bf346bdeace9ae5c1bddb2566e1f195519fe885c85ae6efd629b03991b Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Tue, 16 Nov 2021 22:48:47 +0000 Subject: [PATCH 3/4] Accepting request 931866 from home:tiwai:branches:multimedia:libs - Use system-user-pulse instead of user(pulse) for PreReq; otherwise a new project can't resolve OBS-URL: https://build.opensuse.org/request/show/931866 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/pulseaudio?expand=0&rev=247 --- pulseaudio.changes | 14 +++----------- pulseaudio.spec | 2 +- 2 files changed, 4 insertions(+), 12 deletions(-) diff --git a/pulseaudio.changes b/pulseaudio.changes index 4a619f1..b1fe257 100644 --- a/pulseaudio.changes +++ b/pulseaudio.changes @@ -1,16 +1,8 @@ ------------------------------------------------------------------- -Thu Oct 28 14:14:55 CEST 2021 - tiwai@suse.de +Tue Nov 16 23:13:49 CET 2021 - tiwai@suse.de -- Revert the previous change, as it turned out to be broken; - Drop harden_pulseaudio.service.patch - -------------------------------------------------------------------- -Wed Oct 20 14:37:33 UTC 2021 - Johannes Segitz - -- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): - * harden_pulseaudio.service.patch - Modified: - * pulseaudio.service +- Use system-user-pulse instead of user(pulse) for PreReq; + otherwise a new project can't resolve ------------------------------------------------------------------- Fri Oct 8 10:56:52 UTC 2021 - Jan Engelhardt diff --git a/pulseaudio.spec b/pulseaudio.spec index 4cb0b13..beadf24 100644 --- a/pulseaudio.spec +++ b/pulseaudio.spec @@ -97,7 +97,7 @@ BuildRequires: pkgconfig(xtst) Requires: rtkit Requires: udev >= 146 -Requires(pre): user(pulse) +Requires(pre): system-user-pulse ## needs the same liborc version which was used to build against %requires_eq liborc-0_4-0 Requires(post): %fillup_prereq From eaba00ef93be6bb20d82e53e209e216bb49cc940e9a97f4e2137b2ee58e7ccf5 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Wed, 17 Nov 2021 12:43:23 +0000 Subject: [PATCH 4/4] Accepting request 931940 from home:gmbr3:Active - Revert last change and BuildIgnore user(pulse) instead. OBS-URL: https://build.opensuse.org/request/show/931940 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/pulseaudio?expand=0&rev=248 --- pulseaudio.changes | 5 +++++ pulseaudio.spec | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/pulseaudio.changes b/pulseaudio.changes index b1fe257..598a175 100644 --- a/pulseaudio.changes +++ b/pulseaudio.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Nov 17 11:11:29 UTC 2021 - Callum Farmer + +- Revert last change and BuildIgnore user(pulse) instead. + ------------------------------------------------------------------- Tue Nov 16 23:13:49 CET 2021 - tiwai@suse.de diff --git a/pulseaudio.spec b/pulseaudio.spec index beadf24..d5ce0fe 100644 --- a/pulseaudio.spec +++ b/pulseaudio.spec @@ -97,7 +97,8 @@ BuildRequires: pkgconfig(xtst) Requires: rtkit Requires: udev >= 146 -Requires(pre): system-user-pulse +#!BuildIgnore: user(pulse) +Requires(pre): user(pulse) ## needs the same liborc version which was used to build against %requires_eq liborc-0_4-0 Requires(post): %fillup_prereq