Accepting request 914366 from home:jsegitz:branches:systemdhardening:server:irc

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/914366 OBS-URL: https://build.opensuse.org/package/show/server:irc/bitlbee?expand=0&rev=45
2021-08-28 10:39:09 +00:00 · 2021-08-28 10:39:09 +00:00 · 6cbfe26960
commit 6cbfe26960
parent b0d420940b
4 changed files with 47 additions and 0 deletions
--- a/bitlbee.changes
+++ b/bitlbee.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Aug 25 08:20:54 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s). Added patch(es):
+  * harden_bitlbee.service.patch
+  Modified:
+  * bitlbee.service-suse.in
+
 -------------------------------------------------------------------
 Tue Jul 14 16:05:02 UTC 2020 - Matej Cepl <mcepl@suse.com>

--- a/bitlbee.service-suse.in
+++ b/bitlbee.service-suse.in
@ -14,6 +14,19 @@ Description=Bitblee Daemon the IM to IRC gateway
 After=network.target

 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=read-only
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 ExecStartPre=/usr/bin/mkdir -p /run/bitlbee
 ExecStartPre=/usr/bin/chown bitlbee.bitlbee /run/bitlbee
--- a/bitlbee.spec
+++ b/bitlbee.spec
@ -27,6 +27,7 @@ Group:          Productivity/Networking/IRC
 URL:            http://www.bitlbee.org/
 Source:         http://get.bitlbee.org/src/bitlbee-%{version}.tar.gz
 Source2:        %{name}.service-suse.in
+Patch0:	harden_bitlbee.service.patch
 BuildRequires:  fdupes
 BuildRequires:  glibc-devel
 BuildRequires:  gnutls-devel
@ -82,6 +83,7 @@ This package contains development files for external plugins.

 %prep
 %setup -q
+%patch0 -p1

 # make it verbose!
 find . -name Makefile -exec sed -i.orig 's|@$(CC)|$(CC)|;s|@$(LD)|$(LD)|' {} +
--- a/harden_bitlbee.service.patch
+++ b/harden_bitlbee.service.patch
@ -0,0 +1,24 @@
+Index: bitlbee-3.6/init/bitlbee.service.in
+===================================================================
+--- bitlbee-3.6.orig/init/bitlbee.service.in
+++ bitlbee-3.6/init/bitlbee.service.in
+@@ -2,6 +2,19 @@
+ Description=BitlBee IRC/IM gateway
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=read-only
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ ExecStart=@sbindir@bitlbee -F -n
+ KillMode=process
+