pool/rrdtool
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 932184 from home:jsegitz:branches:systemdhardening:devel:languages:python

Browse Source 
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/932184
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/rrdtool?expand=0&rev=91
This commit is contained in:
Danilo Spinella 2021-11-22 10:20:06 +00:00 committed by Git OBS Bridge
parent 8554d9a44b
commit bfff176f02
4 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
harden_rrdcached.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: rrdtool-1.7.2/etc/rrdcached.service.in
===================================================================
--- rrdtool-1.7.2.orig/etc/rrdcached.service.in
+++ rrdtool-1.7.2/etc/rrdcached.service.in
@@ -8,6 +8,19 @@ Description=Data caching daemon for rrdt
Documentation=man:rrdcached(1)
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
# If you enable socket-activable rrdcached.socket,
# command line socket declarations will be ignored
ExecStart=@prefix@/bin/rrdcached -g

13
rrdcached.service
View File

@ -12,6 +12,19 @@ Wants=network.target
After=network.target After=network.target
[Service] [Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
Type=forking Type=forking
ExecStartPre=-/bin/echo 'Starting RRD data caching service (rrdtools - rrdcached)' ExecStartPre=-/bin/echo 'Starting RRD data caching service (rrdtools - rrdcached)'
ExecStartPre=/bin/sh -c "/usr/share/rrdcached/rrdcached-systemd-pre" ExecStartPre=/bin/sh -c "/usr/share/rrdcached/rrdcached-systemd-pre"

8
rrdtool.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Tue Nov 16 08:36:04 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_rrdcached.service.patch
Modified:
* rrdcached.service
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Sep 22 16:40:00 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de> Sun Sep 22 16:40:00 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de>

2
rrdtool.spec
View File

@ -66,6 +66,7 @@ BuildRequires: zlib-devel
Requires: dejavu Requires: dejavu
%if 0%{?suse_version} >= 1500 %if 0%{?suse_version} >= 1500
Patch13: python3.patch Patch13: python3.patch
Patch14: harden_rrdcached.service.patch
%endif %endif
%if %{with python} %if %{with python}
BuildRequires: %{python}-devel BuildRequires: %{python}-devel
@ -218,6 +219,7 @@ daemon was written to alleviate these problems.
%if 0%{?suse_version} >= 1500 %if 0%{?suse_version} >= 1500
%patch13 -p1 %patch13 -p1
%endif %endif
%patch14 -p1
# rrd_tool/rrd_cgi: use the date of the last change # rrd_tool/rrd_cgi: use the date of the last change
modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{name}.changes")" modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{name}.changes")"