From 1ba7c0f00bf0329b2034c0349e9da22600d62028ea971ab5661cebe002e44f24 Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Tue, 7 Dec 2021 12:01:22 +0000 Subject: [PATCH] Accepting request 933486 from home:jsegitz:branches:systemdhardening:server:proxy Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/933486 OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=242 --- harden_squid.service.patch | 24 ++++++++++++++++++++++++ squid.changes | 8 ++++++++ squid.service | 13 +++++++++++++ squid.spec | 2 ++ 4 files changed, 47 insertions(+) create mode 100644 harden_squid.service.patch diff --git a/harden_squid.service.patch b/harden_squid.service.patch new file mode 100644 index 0000000..69b25e3 --- /dev/null +++ b/harden_squid.service.patch @@ -0,0 +1,24 @@ +Index: squid-5.2/tools/systemd/squid.service +=================================================================== +--- squid-5.2.orig/tools/systemd/squid.service ++++ squid-5.2/tools/systemd/squid.service +@@ -11,6 +11,19 @@ Documentation=man:squid(8) + After=network.target network-online.target nss-lookup.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=notify + PIDFile=/var/run/squid.pid + ExecStartPre=/usr/sbin/squid --foreground -z diff --git a/squid.changes b/squid.changes index 06b5de3..8e03943 100644 --- a/squid.changes +++ b/squid.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Nov 23 15:20:27 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_squid.service.patch + Modified: + * squid.service + ------------------------------------------------------------------- Mon Oct 4 13:19:48 UTC 2021 - Adam Majer diff --git a/squid.service b/squid.service index e0733e7..4fc3486 100644 --- a/squid.service +++ b/squid.service @@ -4,6 +4,19 @@ Documentation=man:squid(8) After=network.target named.service nss-lookup.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking ExecStartPre=%{_libexecdir}/squid/initialize_cache_if_needed.sh ExecStart=/usr/sbin/squid -FC diff --git a/squid.spec b/squid.spec index f41aba2..a6dfe23 100644 --- a/squid.spec +++ b/squid.spec @@ -46,6 +46,7 @@ Source16: initialize_cache_if_needed.sh Source17: tmpfilesdir.squid.conf Patch1: missing_installs.patch Patch2: old_nettle_compat.patch +Patch3: harden_squid.service.patch BuildRequires: cppunit-devel BuildRequires: expat BuildRequires: fdupes @@ -98,6 +99,7 @@ accelerator. %prep %setup -q cp %{SOURCE10} . +%patch3 -p1 # upstream patches after RELEASE perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"`