Accepting request 933795 from home:jsegitz:branches:systemdhardening:security

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/933795 OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-abrmd?expand=0&rev=62
2021-11-30 09:31:21 +00:00 · 2021-11-30 09:31:21 +00:00 · b27e01aef4
commit b27e01aef4
parent 1e214528c0
3 changed files with 32 additions and 2 deletions
--- a/harden_tpm2-abrmd.service.patch
+++ b/harden_tpm2-abrmd.service.patch
@ -0,0 +1,22 @@
+Index: tpm2-abrmd-2.4.0/dist/tpm2-abrmd.service.in
+===================================================================
+--- tpm2-abrmd-2.4.0.orig/dist/tpm2-abrmd.service.in
+++ tpm2-abrmd-2.4.0/dist/tpm2-abrmd.service.in
+@@ -6,6 +6,17 @@ After=dev-tpm0.device
+ Requires=dev-tpm0.device
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=read-only
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=dbus
+ BusName=com.intel.tss2.Tabrmd
+ ExecStart=@SBINDIR@/tpm2-abrmd
--- a/tpm2.0-abrmd.changes
+++ b/tpm2.0-abrmd.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Nov 25 09:16:32 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_tpm2-abrmd.service.patch
+
 -------------------------------------------------------------------
 Sat Jul 17 21:04:13 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>

--- a/tpm2.0-abrmd.spec
+++ b/tpm2.0-abrmd.spec
@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #

+
 %global selinuxtype targeted
 %global modulename tabrmd
 Name:           tpm2.0-abrmd
@ -26,6 +27,7 @@ Group:          Productivity/Security
 URL:            https://github.com/tpm2-software/tpm2-abrmd
 Source0:        https://github.com/tpm2-software/tpm2-abrmd/releases/download/%{version}/tpm2-abrmd-%{version}.tar.gz
 Source1:        tpm2.0-abrmd.rpmlintrc
+Patch0:         harden_tpm2-abrmd.service.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  checkpolicy
@ -33,11 +35,11 @@ BuildRequires:  gcc-c++
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 BuildRequires:  policycoreutils
+BuildRequires:  selinux-policy-devel
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  pkgconfig(dbus-1)
 BuildRequires:  pkgconfig(gio-unix-2.0)
 BuildRequires:  pkgconfig(tss2-sys)
-BuildRequires:  selinux-policy-devel
 # due to %%selinux_requires
 BuildRequires:  pkgconfig(systemd)
 #
@ -90,7 +92,7 @@ use with the SAPI library (libtss2-sys) like any other TCTI.
 %postun -n libtss2-tcti-tabrmd0 -p /sbin/ldconfig

 %prep
-%autosetup -n tpm2-abrmd-%{version}
+%autosetup -n tpm2-abrmd-%{version} -p1

 %build
 export CFLAGS="%{optflags} -fPIE"