From f396e813a163ab7a7acf8bf2798a75e890dfc545191a8d9131efeea50027bba7 Mon Sep 17 00:00:00 2001 From: Fusion Future Date: Fri, 22 Oct 2021 02:42:59 +0000 Subject: [PATCH] Accepting request 926714 from home:jsegitz:branches:systemdhardening:network:messaging:amqp Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/926714 OBS-URL: https://build.opensuse.org/package/show/network:messaging:amqp/rabbitmq-server?expand=0&rev=173 --- harden_rabbitmq-server.service.patch | 24 ++++++++++++++++++++++++ rabbitmq-server.changes | 8 ++++++++ rabbitmq-server.service | 13 +++++++++++++ rabbitmq-server.spec | 2 ++ 4 files changed, 47 insertions(+) create mode 100644 harden_rabbitmq-server.service.patch diff --git a/harden_rabbitmq-server.service.patch b/harden_rabbitmq-server.service.patch new file mode 100644 index 0000000..779fb8a --- /dev/null +++ b/harden_rabbitmq-server.service.patch @@ -0,0 +1,24 @@ +Index: rabbitmq-server-3.9.8/deps/rabbit/docs/rabbitmq-server.service.example +=================================================================== +--- rabbitmq-server-3.9.8.orig/deps/rabbit/docs/rabbitmq-server.service.example ++++ rabbitmq-server-3.9.8/deps/rabbit/docs/rabbitmq-server.service.example +@@ -5,6 +5,19 @@ After=network.target epmd@0.0.0.0.socket + Wants=network.target epmd@0.0.0.0.socket + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=notify + User=rabbitmq + Group=rabbitmq diff --git a/rabbitmq-server.changes b/rabbitmq-server.changes index b9c25e1..7a75bc5 100644 --- a/rabbitmq-server.changes +++ b/rabbitmq-server.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Oct 21 08:16:10 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_rabbitmq-server.service.patch + Modified: + * rabbitmq-server.service + ------------------------------------------------------------------- Wed Oct 20 11:17:30 UTC 2021 - Fusion Future diff --git a/rabbitmq-server.service b/rabbitmq-server.service index 8578d73..98e506a 100644 --- a/rabbitmq-server.service +++ b/rabbitmq-server.service @@ -4,6 +4,19 @@ After=syslog.target network.target epmd.service BindsTo=epmd.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=notify User=rabbitmq Group=rabbitmq diff --git a/rabbitmq-server.spec b/rabbitmq-server.spec index df3874f..ecc515a 100644 --- a/rabbitmq-server.spec +++ b/rabbitmq-server.spec @@ -54,6 +54,7 @@ Source4: rabbitmq-env.conf Source6: rabbitmq-server.service Source7: https://raw.githubusercontent.com/rabbitmq/rabbitmq-packaging/v%{version}/RPMS/Fedora/rabbitmq-server.tmpfiles Source8: README.SUSE +Patch0: harden_rabbitmq-server.service.patch BuildRequires: elixir # https://www.rabbitmq.com/which-erlang.html BuildRequires: erlang >= 23.2 @@ -130,6 +131,7 @@ Optional dependency offering zsh completion for %{name}. %prep %setup -q cp %{SOURCE8} . +%patch0 -p1 %build # Make elixir happy with Unicode