diff --git a/gpsd.changes b/gpsd.changes index 7ba0930..f16d32a 100644 --- a/gpsd.changes +++ b/gpsd.changes @@ -21,6 +21,13 @@ Wed Sep 22 07:07:20 UTC 2021 - Arjen de Korte * No API, ABI changes. * Fallback to "python3" if "python" not found. +------------------------------------------------------------------- +Mon Sep 20 15:34:40 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_gpsd.service.patch + * harden_gpsdctl@.service.patch + ------------------------------------------------------------------- Sat Aug 7 03:32:40 UTC 2021 - Arjen de Korte diff --git a/gpsd.spec b/gpsd.spec index 3ef4338..9cc3cbc 100644 --- a/gpsd.spec +++ b/gpsd.spec @@ -34,6 +34,8 @@ Source2: udev.gpsd Source3: sysconfig.gpsd Source98: https://download-mirror.savannah.gnu.org/releases/gpsd/%{name}-%{version}.tar.xz.sig Source99: %{name}.keyring +Patch0: harden_gpsd.service.patch +Patch1: harden_gpsdctl@.service.patch BuildRequires: chrpath BuildRequires: fdupes BuildRequires: gcc-c++ @@ -167,6 +169,8 @@ tar -xf %{SOURCE0} -C %{name}-%{version}/python2 mkdir -p %{name}-%{version}/python3 tar -xf %{SOURCE0} -C %{name}-%{version}/python3 cd %{name}-%{version} +%patch0 -p1 +%patch1 -p1 %build # LTO fails on aarch64 (version 3.22, May 2021) diff --git a/harden_gpsd.service.patch b/harden_gpsd.service.patch new file mode 100644 index 0000000..d4823a8 --- /dev/null +++ b/harden_gpsd.service.patch @@ -0,0 +1,23 @@ +Index: gpsd/gpsd-3.23/systemd/gpsd.service.in +=================================================================== +--- foo.old/python3/gpsd-3.23/systemd/gpsd.service.in ++++ foo/python3/gpsd-3.23/systemd/gpsd.service.in +@@ -5,6 +5,18 @@ Requires=gpsd.socket + After=chronyd.service + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=forking + EnvironmentFile=-/etc/default/gpsd + EnvironmentFile=-/etc/sysconfig/gpsd diff --git a/harden_gpsdctl@.service.patch b/harden_gpsdctl@.service.patch new file mode 100644 index 0000000..4e0e73e --- /dev/null +++ b/harden_gpsdctl@.service.patch @@ -0,0 +1,23 @@ +Index: gpsd-3.23/systemd/gpsdctl@.service.in +=================================================================== +--- foo.old/python3/gpsd-3.23/systemd/gpsdctl@.service.in ++++ foo/python3/gpsd-3.23/systemd/gpsdctl@.service.in +@@ -5,6 +5,18 @@ BindsTo=dev-%i.device + After=dev-%i.device + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=oneshot + Environment="GPSD_SOCKET=@RUNDIR@/gpsd.sock" + EnvironmentFile=-/etc/default/gpsd