diff --git a/bitcoin.changes b/bitcoin.changes index 17b3c4f..bca37cc 100644 --- a/bitcoin.changes +++ b/bitcoin.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Aug 27 07:49:41 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s). Added patch(es): + * harden_bitcoind.service.patch + Modified: + * bitcoind.service + ------------------------------------------------------------------- Fri May 14 10:54:00 UTC 2021 - Ferdinand Thiessen diff --git a/bitcoin.spec b/bitcoin.spec index c77c745..9e76c60 100644 --- a/bitcoin.spec +++ b/bitcoin.spec @@ -34,6 +34,7 @@ Source0: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/% Source1: %{base}d.service Source3: %{base}d.conf Source4: %{base}.conf +Patch0: harden_bitcoind.service.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: gcc-c++ @@ -165,7 +166,7 @@ several GB of space, slowly growing. This package provides automated tests for %{name}-qt5 and %{name}d. %prep -%autosetup +%autosetup -p1 %build autoreconf -fiv diff --git a/bitcoind.service b/bitcoind.service index 62b3f45..3d1f536 100644 --- a/bitcoind.service +++ b/bitcoind.service @@ -4,6 +4,19 @@ Requires=network.target After=network.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions User=bitcoin PIDFile=/run/bitcoin/bitcoind.pid ExecStart=/usr/bin/bitcoind -conf=/etc/bitcoin/bitcoin.conf -pid=/run/bitcoin/bitcoind.pid -datadir=/var/lib/bitcoin diff --git a/harden_bitcoind.service.patch b/harden_bitcoind.service.patch new file mode 100644 index 0000000..817ea73 --- /dev/null +++ b/harden_bitcoind.service.patch @@ -0,0 +1,21 @@ +Index: bitcoin-0.21.1/contrib/init/bitcoind.service +=================================================================== +--- bitcoin-0.21.1.orig/contrib/init/bitcoind.service ++++ bitcoin-0.21.1/contrib/init/bitcoind.service +@@ -69,6 +69,16 @@ NoNewPrivileges=true + # Use a new /dev namespace only populated with API pseudo devices + # such as /dev/null, /dev/zero and /dev/random. + PrivateDevices=true ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + + # Deny the creation of writable and executable memory mappings. + MemoryDenyWriteExecute=true