Accepting request 932177 from home:jsegitz:branches:systemdhardening:Base:System

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/932177
OBS-URL: https://build.opensuse.org/package/show/Base:System/rtkit?expand=0&rev=46
This commit is contained in:
Marcus Meissner 2021-11-19 08:24:20 +00:00 committed by Git OBS Bridge
parent 9159c5aa71
commit f9a3701ea0
3 changed files with 31 additions and 0 deletions

View File

@ -0,0 +1,23 @@
Index: rtkit-0.13/rtkit-daemon.service.in
===================================================================
--- rtkit-0.13.orig/rtkit-daemon.service.in
+++ rtkit-0.13/rtkit-daemon.service.in
@@ -25,6 +25,18 @@ BusName=org.freedesktop.RealtimeKit1
NotifyAccess=main
CapabilityBoundingSet=CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_CHROOT CAP_SETGID CAP_SETUID
PrivateNetwork=yes
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+# end of automatic additions
[Install]
WantedBy=multi-user.target

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Tue Nov 16 10:49:44 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_rtkit-daemon.service.patch
-------------------------------------------------------------------
Fri May 28 21:00:35 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>

View File

@ -26,6 +26,7 @@ License: BSD-3-Clause AND GPL-3.0-or-later
Group: System/Base
URL: https://github.com/heftig/rtkit
Source: https://github.com/heftig/rtkit/releases/download/v%{version}/rtkit-%{version}.tar.xz
Patch0: harden_rtkit-daemon.service.patch
BuildRequires: automake
BuildRequires: libcap-devel
BuildRequires: pkg-config
@ -47,6 +48,7 @@ scheduling to be used by normal user processes.
%prep
%setup -q
%patch0 -p1
%build
autoreconf -fiv