Accepting request 933486 from home:jsegitz:branches:systemdhardening:server:proxy

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/933486
OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=242
This commit is contained in:
Martin Pluskal 2021-12-07 12:01:22 +00:00 committed by Git OBS Bridge
parent 7540de6b79
commit 1ba7c0f00b
4 changed files with 47 additions and 0 deletions

View File

@ -0,0 +1,24 @@
Index: squid-5.2/tools/systemd/squid.service
===================================================================
--- squid-5.2.orig/tools/systemd/squid.service
+++ squid-5.2/tools/systemd/squid.service
@@ -11,6 +11,19 @@ Documentation=man:squid(8)
After=network.target network-online.target nss-lookup.target
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=notify
PIDFile=/var/run/squid.pid
ExecStartPre=/usr/sbin/squid --foreground -z

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Tue Nov 23 15:20:27 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_squid.service.patch
Modified:
* squid.service
-------------------------------------------------------------------
Mon Oct 4 13:19:48 UTC 2021 - Adam Majer <adam.majer@suse.de>

View File

@ -4,6 +4,19 @@ Documentation=man:squid(8)
After=network.target named.service nss-lookup.service
[Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
Type=forking
ExecStartPre=%{_libexecdir}/squid/initialize_cache_if_needed.sh
ExecStart=/usr/sbin/squid -FC

View File

@ -46,6 +46,7 @@ Source16: initialize_cache_if_needed.sh
Source17: tmpfilesdir.squid.conf
Patch1: missing_installs.patch
Patch2: old_nettle_compat.patch
Patch3: harden_squid.service.patch
BuildRequires: cppunit-devel
BuildRequires: expat
BuildRequires: fdupes
@ -98,6 +99,7 @@ accelerator.
%prep
%setup -q
cp %{SOURCE10} .
%patch3 -p1
# upstream patches after RELEASE
perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"`