SHA256
1
0
forked from pool/bitcoin

Accepting request 914548 from home:jsegitz:branches:systemdhardening:network:cryptocurrencies

- Added hardening to systemd service(s). Added patch(es):
  * harden_bitcoind.service.patch
  Modified:
  * bitcoind.service

OBS-URL: https://build.opensuse.org/request/show/914548
OBS-URL: https://build.opensuse.org/package/show/network:cryptocurrencies/bitcoin?expand=0&rev=42
This commit is contained in:
Martin Pluskal 2021-08-27 15:22:13 +00:00 committed by Git OBS Bridge
parent 38120920c3
commit fa617d246f
4 changed files with 44 additions and 1 deletions

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Fri Aug 27 07:49:41 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s). Added patch(es):
* harden_bitcoind.service.patch
Modified:
* bitcoind.service
-------------------------------------------------------------------
Fri May 14 10:54:00 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>

View File

@ -34,6 +34,7 @@ Source0: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%
Source1: %{base}d.service
Source3: %{base}d.conf
Source4: %{base}.conf
Patch0: harden_bitcoind.service.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: gcc-c++
@ -165,7 +166,7 @@ several GB of space, slowly growing.
This package provides automated tests for %{name}-qt5 and %{name}d.
%prep
%autosetup
%autosetup -p1
%build
autoreconf -fiv

View File

@ -4,6 +4,19 @@ Requires=network.target
After=network.target
[Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
User=bitcoin
PIDFile=/run/bitcoin/bitcoind.pid
ExecStart=/usr/bin/bitcoind -conf=/etc/bitcoin/bitcoin.conf -pid=/run/bitcoin/bitcoind.pid -datadir=/var/lib/bitcoin

View File

@ -0,0 +1,21 @@
Index: bitcoin-0.21.1/contrib/init/bitcoind.service
===================================================================
--- bitcoin-0.21.1.orig/contrib/init/bitcoind.service
+++ bitcoin-0.21.1/contrib/init/bitcoind.service
@@ -69,6 +69,16 @@ NoNewPrivileges=true
# Use a new /dev namespace only populated with API pseudo devices
# such as /dev/null, /dev/zero and /dev/random.
PrivateDevices=true
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
# Deny the creation of writable and executable memory mappings.
MemoryDenyWriteExecute=true