From b27e01aef4064c59763394f14c5da79790e5123607fa7d583e29aeb3ce985d6c Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Tue, 30 Nov 2021 09:31:21 +0000 Subject: [PATCH] Accepting request 933795 from home:jsegitz:branches:systemdhardening:security Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/933795 OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-abrmd?expand=0&rev=62 --- harden_tpm2-abrmd.service.patch | 22 ++++++++++++++++++++++ tpm2.0-abrmd.changes | 6 ++++++ tpm2.0-abrmd.spec | 6 ++++-- 3 files changed, 32 insertions(+), 2 deletions(-) create mode 100644 harden_tpm2-abrmd.service.patch diff --git a/harden_tpm2-abrmd.service.patch b/harden_tpm2-abrmd.service.patch new file mode 100644 index 0000000..7720a35 --- /dev/null +++ b/harden_tpm2-abrmd.service.patch @@ -0,0 +1,22 @@ +Index: tpm2-abrmd-2.4.0/dist/tpm2-abrmd.service.in +=================================================================== +--- tpm2-abrmd-2.4.0.orig/dist/tpm2-abrmd.service.in ++++ tpm2-abrmd-2.4.0/dist/tpm2-abrmd.service.in +@@ -6,6 +6,17 @@ After=dev-tpm0.device + Requires=dev-tpm0.device + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=read-only ++ProtectHostname=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=dbus + BusName=com.intel.tss2.Tabrmd + ExecStart=@SBINDIR@/tpm2-abrmd diff --git a/tpm2.0-abrmd.changes b/tpm2.0-abrmd.changes index 36088c1..d42fcc9 100644 --- a/tpm2.0-abrmd.changes +++ b/tpm2.0-abrmd.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Nov 25 09:16:32 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_tpm2-abrmd.service.patch + ------------------------------------------------------------------- Sat Jul 17 21:04:13 UTC 2021 - Callum Farmer diff --git a/tpm2.0-abrmd.spec b/tpm2.0-abrmd.spec index e5d41a8..6b68c1e 100644 --- a/tpm2.0-abrmd.spec +++ b/tpm2.0-abrmd.spec @@ -15,6 +15,7 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # + %global selinuxtype targeted %global modulename tabrmd Name: tpm2.0-abrmd @@ -26,6 +27,7 @@ Group: Productivity/Security URL: https://github.com/tpm2-software/tpm2-abrmd Source0: https://github.com/tpm2-software/tpm2-abrmd/releases/download/%{version}/tpm2-abrmd-%{version}.tar.gz Source1: tpm2.0-abrmd.rpmlintrc +Patch0: harden_tpm2-abrmd.service.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: checkpolicy @@ -33,11 +35,11 @@ BuildRequires: gcc-c++ BuildRequires: libtool BuildRequires: pkgconfig BuildRequires: policycoreutils +BuildRequires: selinux-policy-devel BuildRequires: systemd-rpm-macros BuildRequires: pkgconfig(dbus-1) BuildRequires: pkgconfig(gio-unix-2.0) BuildRequires: pkgconfig(tss2-sys) -BuildRequires: selinux-policy-devel # due to %%selinux_requires BuildRequires: pkgconfig(systemd) # @@ -90,7 +92,7 @@ use with the SAPI library (libtss2-sys) like any other TCTI. %postun -n libtss2-tcti-tabrmd0 -p /sbin/ldconfig %prep -%autosetup -n tpm2-abrmd-%{version} +%autosetup -n tpm2-abrmd-%{version} -p1 %build export CFLAGS="%{optflags} -fPIE"