strongswan/harden_strongswan.service.patch
Jan Engelhardt cf0313df27 - rename -hmac subpackage to -fips because it isn't providing
the hmac files, it provides the configuration drop in to
  enforce fips mode.

- Removes deprecated SysV support
- Added prf-plus-modularization.patch that outsources the IKE
- move file %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
  to strongswan-nm subpackage, as it is needed for the
  NetworkManager plugin that uses strongswan-nm, not
- Removed unused requires and macro calls(bsc#1083261)
    improved oracle are not compatible with the earlier
    (wasn't the case since 5.0.0) and packets that have the flag
    also checked against IKEv2 signature schemes. If such
    constraints are used for certificate chain validation in
    transport mode connections coming over the same NAT device for
    Windows 7 IKEv2 clients, which announces its services over the
  * For the vici plugin a Python Egg has been added to allow
    Python applications to control or monitor the IKE daemon using
  * EAP server methods now can fulfill public key constraints,
- Fix build in factory
- Fix systemd unit dir
  from glibc
    IDr payload anymore.
  * Consistent logging of IKE and CHILD SAs at the audit (AUD) level.
  caused an INVALID_SYNTAX error on PowerPC platforms.
- Initial, unfinished package

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=165
2024-11-26 12:56:29 +00:00

23 lines
794 B
Diff

Index: strongswan-5.9.5/init/systemd/strongswan.service.in
===================================================================
--- strongswan-5.9.5.orig/init/systemd/strongswan.service.in
+++ strongswan-5.9.5/init/systemd/strongswan.service.in
@@ -3,6 +3,17 @@ Description=strongSwan IPsec IKEv1/IKEv2
After=network-online.target
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=notify
ExecStart=@SBINDIR@/charon-systemd
ExecStartPost=@SBINDIR@/swanctl --load-all --noprompt