Accepting request 926523 from hardware

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort (forwarded request 925369 from jsegitz) OBS-URL: https://build.opensuse.org/request/show/926523 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/numad?expand=0&rev=6
2021-10-22 22:50:24 +00:00 · 2021-10-22 22:50:24 +00:00 · f29431b9db
commit f29431b9db
parent 4955890c4e c7dd7fa11a
3 changed files with 32 additions and 4 deletions
--- a/harden_numad.service.patch
+++ b/harden_numad.service.patch
@ -0,0 +1,20 @@
+Index: numad-0.5.20130522/numad.service
+===================================================================
+--- numad-0.5.20130522.orig/numad.service
+++ numad-0.5.20130522/numad.service
+@@ -2,6 +2,15 @@
+ Description=numad - The NUMA daemon that manages application locality.
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=simple
+ EnvironmentFile=/etc/numad.conf
+ ExecStart=/usr/sbin/numad -i $INTERVAL -F
--- a/numad.changes
+++ b/numad.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Oct 15 07:27:14 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_numad.service.patch
+
 -------------------------------------------------------------------
 Wed Jun 12 14:58:50 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>

--- a/numad.spec
+++ b/numad.spec
@ -1,7 +1,7 @@
 #
 # spec file for package numad
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -12,14 +12,14 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.

-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #


 Name:           numad
-Url:            http://git.fedorahosted.org/git/numad.git
+URL:            http://git.fedorahosted.org/git/numad.git
 Summary:        Userspace daemon that automatically binds workloads to NUMA nodes
-License:        LGPL-2.1
+License:        LGPL-2.1-only
 Group:          System/Daemons
 Version:        0.5.20130522
 Release:        0
@ -32,6 +32,7 @@ Patch4:         numad-versioning.patch
 Patch5:         numad-rpm-opt-flags.patch
 Patch6:         numad-opensuse-systemd.patch
 Patch7:         numad-systemd-simple-type.patch
+Patch8:         harden_numad.service.patch

 %if 0%{?suse_version} > 1140
 BuildRequires:  pkgconfig(systemd)
@ -62,6 +63,7 @@ to regress performance.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1

 %build
 make OPT_CFLAGS="$RPM_OPT_FLAGS" %{?_smp_mflags}