diff --git a/e2fsprogs.changes b/e2fsprogs.changes index 5568cd2..6d760ce 100644 --- a/e2fsprogs.changes +++ b/e2fsprogs.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Oct 15 12:11:41 UTC 2021 - Johannes Segitz + +- Drop ProtectClock hardening, can cause issues if other device acceess is needed + ------------------------------------------------------------------- Thu Sep 30 14:13:06 UTC 2021 - Jan Kara diff --git a/harden_e2scrub@.service.patch b/harden_e2scrub@.service.patch index e5339a4..bc9e93f 100644 --- a/harden_e2scrub@.service.patch +++ b/harden_e2scrub@.service.patch @@ -2,14 +2,13 @@ Index: e2fsprogs-1.46.4/scrub/e2scrub@.service.in =================================================================== --- e2fsprogs-1.46.4.orig/scrub/e2scrub@.service.in +++ e2fsprogs-1.46.4/scrub/e2scrub@.service.in -@@ -10,6 +10,15 @@ PrivateNetwork=true +@@ -10,6 +10,14 @@ PrivateNetwork=true ProtectSystem=true ProtectHome=read-only PrivateTmp=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true -+ProtectClock=true +ProtectKernelTunables=true +ProtectKernelLogs=true +ProtectControlGroups=true diff --git a/harden_e2scrub_all.service.patch b/harden_e2scrub_all.service.patch index ac01700..ac4b4e8 100644 --- a/harden_e2scrub_all.service.patch +++ b/harden_e2scrub_all.service.patch @@ -2,7 +2,7 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_all.service.in =================================================================== --- e2fsprogs-1.46.3.orig/scrub/e2scrub_all.service.in +++ e2fsprogs-1.46.3/scrub/e2scrub_all.service.in -@@ -6,6 +6,18 @@ ConditionCapability=CAP_SYS_RAWIO +@@ -6,6 +6,17 @@ ConditionCapability=CAP_SYS_RAWIO Documentation=man:e2scrub_all(8) [Service] @@ -11,7 +11,6 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_all.service.in +ProtectSystem=full +ProtectHome=true +ProtectHostname=true -+ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true diff --git a/harden_e2scrub_fail@.service.patch b/harden_e2scrub_fail@.service.patch index 043d1bf..2c31fc2 100644 --- a/harden_e2scrub_fail@.service.patch +++ b/harden_e2scrub_fail@.service.patch @@ -2,7 +2,7 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in =================================================================== --- e2fsprogs-1.46.3.orig/scrub/e2scrub_fail@.service.in +++ e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in -@@ -3,6 +3,18 @@ Description=Online ext4 Metadata Check F +@@ -3,6 +3,17 @@ Description=Online ext4 Metadata Check F Documentation=man:e2scrub(8) [Service] @@ -11,7 +11,6 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in +ProtectSystem=full +ProtectHome=true +ProtectHostname=true -+ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true diff --git a/harden_e2scrub_reap.service.patch b/harden_e2scrub_reap.service.patch index e2e1311..f26f378 100644 --- a/harden_e2scrub_reap.service.patch +++ b/harden_e2scrub_reap.service.patch @@ -2,14 +2,13 @@ Index: e2fsprogs-1.46.3/scrub/e2scrub_reap.service.in =================================================================== --- e2fsprogs-1.46.3.orig/scrub/e2scrub_reap.service.in +++ e2fsprogs-1.46.3/scrub/e2scrub_reap.service.in -@@ -11,6 +11,16 @@ PrivateNetwork=true +@@ -11,6 +11,15 @@ PrivateNetwork=true ProtectSystem=true ProtectHome=read-only PrivateTmp=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true -+ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true