Accepting request 932990 from Base:System

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort (forwarded request 932179 from jsegitz)

OBS-URL: https://build.opensuse.org/request/show/932990
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sensors?expand=0&rev=108

harden_fancontrol.service.patch

@@ -0,0 +1,21 @@
+Index: lm-sensors-3-6-0/prog/init/fancontrol.service
+===================================================================
+--- lm-sensors-3-6-0.orig/prog/init/fancontrol.service
++++ lm-sensors-3-6-0/prog/init/fancontrol.service
+@@ -4,6 +4,16 @@ ConditionFileNotEmpty=/etc/fancontrol
+ After=lm_sensors.service
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Type=simple
+ PIDFile=/run/fancontrol.pid
+ ExecStart=/usr/sbin/fancontrol

harden_lm_sensors.service.patch

@@ -0,0 +1,21 @@
+Index: lm-sensors-3-6-0/prog/init/lm_sensors.service
+===================================================================
+--- lm-sensors-3-6-0.orig/prog/init/lm_sensors.service
++++ lm-sensors-3-6-0/prog/init/lm_sensors.service
+@@ -2,6 +2,16 @@
+ Description=Initialize hardware monitoring sensors
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ EnvironmentFile=/etc/sysconfig/lm_sensors
+ Type=oneshot
+ RemainAfterExit=yes

harden_sensord.service.patch

@@ -0,0 +1,21 @@
+Index: lm-sensors-3-6-0/prog/init/sensord.service
+===================================================================
+--- lm-sensors-3-6-0.orig/prog/init/sensord.service
++++ lm-sensors-3-6-0/prog/init/sensord.service
+@@ -3,6 +3,16 @@ Description=Log hardware monitoring data
+ After=lm_sensors.service
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ EnvironmentFile=/etc/sysconfig/sensord
+ Type=forking
+ PIDFile=/run/sensord.pid

sensors.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Nov 16 15:44:52 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_fancontrol.service.patch
+  * harden_lm_sensors.service.patch
+  * harden_sensord.service.patch
+
 -------------------------------------------------------------------
 Fri Aug 20 09:40:26 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
 

sensors.spec

@@ -52,6 +52,9 @@ Patch11:        pwmconfig-raise-fan-threshold.patch
 #PATCH-FIX-UPSTREAM Change PIDFile path from /var/run to /run
 Patch12:        change-pidfile-path-from-var-run-to-run.patch
 Patch13:        var-run-deprecated.patch
+Patch14:        harden_fancontrol.service.patch
+Patch15:        harden_lm_sensors.service.patch
+Patch16:        harden_sensord.service.patch
 BuildRequires:  bison
 BuildRequires:  flex
 BuildRequires:  rrdtool-devel
@@ -124,6 +127,9 @@ sense to the user.
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
 
 %build
 RPM_OPT_FLAGS="%{optflags}"