Accepting request 933795 from home:jsegitz:branches:systemdhardening:security

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/933795
OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-abrmd?expand=0&rev=62

harden_tpm2-abrmd.service.patch

@@ -0,0 +1,22 @@
+Index: tpm2-abrmd-2.4.0/dist/tpm2-abrmd.service.in
+===================================================================
+--- tpm2-abrmd-2.4.0.orig/dist/tpm2-abrmd.service.in
++++ tpm2-abrmd-2.4.0/dist/tpm2-abrmd.service.in
+@@ -6,6 +6,17 @@ After=dev-tpm0.device
+ Requires=dev-tpm0.device
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=read-only
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Type=dbus
+ BusName=com.intel.tss2.Tabrmd
+ ExecStart=@SBINDIR@/tpm2-abrmd

tpm2.0-abrmd.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Nov 25 09:16:32 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_tpm2-abrmd.service.patch
+
 -------------------------------------------------------------------
 Sat Jul 17 21:04:13 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
 

tpm2.0-abrmd.spec

@@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
+
 %global selinuxtype targeted
 %global modulename tabrmd
 Name:           tpm2.0-abrmd
@@ -26,6 +27,7 @@ Group:          Productivity/Security
 URL:            https://github.com/tpm2-software/tpm2-abrmd
 Source0:        https://github.com/tpm2-software/tpm2-abrmd/releases/download/%{version}/tpm2-abrmd-%{version}.tar.gz
 Source1:        tpm2.0-abrmd.rpmlintrc
+Patch0:         harden_tpm2-abrmd.service.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  checkpolicy
@@ -33,11 +35,11 @@ BuildRequires:  gcc-c++
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 BuildRequires:  policycoreutils
+BuildRequires:  selinux-policy-devel
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  pkgconfig(dbus-1)
 BuildRequires:  pkgconfig(gio-unix-2.0)
 BuildRequires:  pkgconfig(tss2-sys)
-BuildRequires:  selinux-policy-devel
 # due to %%selinux_requires
 BuildRequires:  pkgconfig(systemd)
 #
@@ -90,7 +92,7 @@ use with the SAPI library (libtss2-sys) like any other TCTI.
 %postun -n libtss2-tcti-tabrmd0 -p /sbin/ldconfig
 
 %prep
-%autosetup -n tpm2-abrmd-%{version}
+%autosetup -n tpm2-abrmd-%{version} -p1
 
 %build
 export CFLAGS="%{optflags} -fPIE"