rpm/fwupd
SHA256
1
0
Fork 0
forked from pool/fwupd
Code Pull Requests Activity

Accepting request 925357 from home:jsegitz:branches:systemdhardening:Base:System

Browse Source 
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/925357
OBS-URL: https://build.opensuse.org/package/show/Base:System/fwupd?expand=0&rev=107
This commit is contained in:
Joey Lee 2021-10-18 06:28:00 +00:00 committed by Git OBS Bridge
parent 1146c5db81
commit e911b64f10
4 changed files with 48 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
fwupd.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Fri Oct 15 07:30:24 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_fwupd-offline-update.service.patch
* harden_fwupd-refresh.service.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Oct 7 04:56:37 UTC 2021 - Joey Lee <jlee@suse.com> Thu Oct 7 04:56:37 UTC 2021 - Joey Lee <jlee@suse.com>

2
fwupd.spec
View File

@ -51,6 +51,8 @@ Source: %{name}-%{version}.tar.xz
Patch1: fwupd-bsc1130056-change-shim-path.patch Patch1: fwupd-bsc1130056-change-shim-path.patch
# PATCH-FIX-OPENSUSE fwupd-jscSLE-11766-close-efidir-leap-gap.patch jsc#SLE-11766 qkzhu@suse.com -- Set SLE and openSUSE esp os dir at runtime # PATCH-FIX-OPENSUSE fwupd-jscSLE-11766-close-efidir-leap-gap.patch jsc#SLE-11766 qkzhu@suse.com -- Set SLE and openSUSE esp os dir at runtime
Patch2: fwupd-jscSLE-11766-close-efidir-leap-gap.patch Patch2: fwupd-jscSLE-11766-close-efidir-leap-gap.patch
Patch3: harden_fwupd-offline-update.service.patch
Patch4: harden_fwupd-refresh.service.patch
BuildRequires: dejavu-fonts BuildRequires: dejavu-fonts
%if %{with fish_support} %if %{with fish_support}

21
harden_fwupd-offline-update.service.patch Normal file
View File

@ -0,0 +1,21 @@
Index: fwupd-1.6.2/data/fwupd-offline-update.service.in
===================================================================
--- fwupd-1.6.2.orig/data/fwupd-offline-update.service.in
+++ fwupd-1.6.2/data/fwupd-offline-update.service.in
@@ -8,6 +8,16 @@ After=sysinit.target system-update-pre.t
Before=shutdown.target system-update.target
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=oneshot
ExecStart=@libexecdir@/fwupd/fwupdoffline
FailureAction=reboot

18
harden_fwupd-refresh.service.patch Normal file
View File

@ -0,0 +1,18 @@
Index: fwupd-1.6.2/data/motd/fwupd-refresh.service.in
===================================================================
--- fwupd-1.6.2.orig/data/motd/fwupd-refresh.service.in
+++ fwupd-1.6.2/data/motd/fwupd-refresh.service.in
@@ -13,5 +13,13 @@ SystemCallFilter=~@mount
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictRealtime=yes
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+# end of automatic additions
SuccessExitStatus=2
ExecStart=@bindir@/fwupdmgr refresh