Accepting request 919470 from home:jsegitz:branches:systemdhardening:network

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/919470 OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=32
2021-09-27 18:40:19 +00:00 · 2021-09-27 18:40:19 +00:00 · 1ff1676d67
commit 1ff1676d67
parent 9291c97e61
3 changed files with 29 additions and 0 deletions
--- a/frr.changes
+++ b/frr.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Sep 16 07:12:55 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_frr.service.patch
+
 -------------------------------------------------------------------
 Fri Apr 23 03:05:06 UTC 2021 - Marius Tomaschewski <mt@suse.com>

--- a/frr.spec
+++ b/frr.spec
@ -42,6 +42,7 @@ URL:            https://www.frrouting.org
 Source:         https://github.com/FRRouting/frr/archive/%{name}-%{version}.tar.gz
 Source1:        %{name}-tmpfiles.d
 Patch1:         0001-disable-zmq-test.patch
+Patch2:	harden_frr.service.patch
 BuildRequires:  %{python_module Sphinx}
 BuildRequires:  %{python_module devel}
 BuildRequires:  %{python_module pytest}
@ -182,6 +183,7 @@ developing OSPF-API and frr applications.
 %prep
 %setup -q -n %{name}-%{name}-%{version}
 %patch1 -p1
+%patch2 -p1

 %build
 # GCC LTO objects must be "fat" to avoid assembly errors
--- a/harden_frr.service.patch
+++ b/harden_frr.service.patch
@ -0,0 +1,21 @@
+Index: frr-frr-7.5.1/tools/frr.service
+===================================================================
+--- frr-frr-7.5.1.orig/tools/frr.service
+++ frr-frr-7.5.1/tools/frr.service
+@@ -7,6 +7,16 @@ Before=network.target
+ OnFailure=heartbeat-failed@%n.service
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectClock=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Nice=-5
+ Type=forking
+ NotifyAccess=all