forked from pool/bitcoin
Accepting request 914548 from home:jsegitz:branches:systemdhardening:network:cryptocurrencies
- Added hardening to systemd service(s). Added patch(es): * harden_bitcoind.service.patch Modified: * bitcoind.service OBS-URL: https://build.opensuse.org/request/show/914548 OBS-URL: https://build.opensuse.org/package/show/network:cryptocurrencies/bitcoin?expand=0&rev=42
This commit is contained in:
parent
38120920c3
commit
fa617d246f
@ -1,3 +1,11 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Aug 27 07:49:41 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- Added hardening to systemd service(s). Added patch(es):
|
||||
* harden_bitcoind.service.patch
|
||||
Modified:
|
||||
* bitcoind.service
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri May 14 10:54:00 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>
|
||||
|
||||
|
@ -34,6 +34,7 @@ Source0: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%
|
||||
Source1: %{base}d.service
|
||||
Source3: %{base}d.conf
|
||||
Source4: %{base}.conf
|
||||
Patch0: harden_bitcoind.service.patch
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: gcc-c++
|
||||
@ -165,7 +166,7 @@ several GB of space, slowly growing.
|
||||
This package provides automated tests for %{name}-qt5 and %{name}d.
|
||||
|
||||
%prep
|
||||
%autosetup
|
||||
%autosetup -p1
|
||||
|
||||
%build
|
||||
autoreconf -fiv
|
||||
|
@ -4,6 +4,19 @@ Requires=network.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
# added automatically, for details please see
|
||||
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
PrivateDevices=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
# end of automatic additions
|
||||
User=bitcoin
|
||||
PIDFile=/run/bitcoin/bitcoind.pid
|
||||
ExecStart=/usr/bin/bitcoind -conf=/etc/bitcoin/bitcoin.conf -pid=/run/bitcoin/bitcoind.pid -datadir=/var/lib/bitcoin
|
||||
|
21
harden_bitcoind.service.patch
Normal file
21
harden_bitcoind.service.patch
Normal file
@ -0,0 +1,21 @@
|
||||
Index: bitcoin-0.21.1/contrib/init/bitcoind.service
|
||||
===================================================================
|
||||
--- bitcoin-0.21.1.orig/contrib/init/bitcoind.service
|
||||
+++ bitcoin-0.21.1/contrib/init/bitcoind.service
|
||||
@@ -69,6 +69,16 @@ NoNewPrivileges=true
|
||||
# Use a new /dev namespace only populated with API pseudo devices
|
||||
# such as /dev/null, /dev/zero and /dev/random.
|
||||
PrivateDevices=true
|
||||
+# added automatically, for details please see
|
||||
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
+ProtectHostname=true
|
||||
+ProtectClock=true
|
||||
+ProtectKernelTunables=true
|
||||
+ProtectKernelModules=true
|
||||
+ProtectKernelLogs=true
|
||||
+ProtectControlGroups=true
|
||||
+RestrictRealtime=true
|
||||
+# end of automatic additions
|
||||
|
||||
# Deny the creation of writable and executable memory mappings.
|
||||
MemoryDenyWriteExecute=true
|
Loading…
Reference in New Issue
Block a user