From 0c3176bfecea587f2a52affea4ca4b103907347a80d729fac6c6e609adc271e0 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 15 Oct 2021 16:58:47 +0000 Subject: [PATCH 1/2] Accepting request 925353 from home:jsegitz:branches:systemdhardening:utilities Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/925353 OBS-URL: https://build.opensuse.org/package/show/utilities/parkverbot?expand=0&rev=22 --- harden_parkverbot.service.patch | 22 ++++++++++++++++++++++ parkverbot.changes | 6 ++++++ parkverbot.spec | 1 + 3 files changed, 29 insertions(+) create mode 100644 harden_parkverbot.service.patch diff --git a/harden_parkverbot.service.patch b/harden_parkverbot.service.patch new file mode 100644 index 0000000..76c21ee --- /dev/null +++ b/harden_parkverbot.service.patch @@ -0,0 +1,22 @@ +Index: parkverbot-1.3/src/parkverbot.service +=================================================================== +--- parkverbot-1.3.orig/src/parkverbot.service ++++ parkverbot-1.3/src/parkverbot.service +@@ -2,6 +2,17 @@ + Description=Hard disk head parking inhibitor + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + EnvironmentFile=/etc/sysconfig/parkverbot + ExecStart=/usr/sbin/parkverbot $PARKVERBOT_DISKS + Restart=on-abort diff --git a/parkverbot.changes b/parkverbot.changes index b9cfd54..1c5850f 100644 --- a/parkverbot.changes +++ b/parkverbot.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Oct 14 10:40:22 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_parkverbot.service.patch + ------------------------------------------------------------------- Fri Sep 4 13:10:46 UTC 2020 - Jan Engelhardt diff --git a/parkverbot.spec b/parkverbot.spec index 8a907da..5e61d62 100644 --- a/parkverbot.spec +++ b/parkverbot.spec @@ -28,6 +28,7 @@ URL: https://inai.de/projects/parkverbot/ Source: https://inai.de/files/parkverbot/%name-%version.tar.xz Source2: https://inai.de/files/parkverbot/%name-%version.tar.asc Source3: %name.keyring +Patch0: harden_parkverbot.service.patch BuildRequires: pkg-config >= 0.23 BuildRequires: systemd-rpm-macros BuildRequires: xz From f65cb82fd5f8af8826c73c6d4d4827afe36db2043cbc688f563871db07c2585e Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 17 Oct 2021 19:35:23 +0000 Subject: [PATCH 2/2] - Drop harden_parkverbot.service.patch (merged upstream) OBS-URL: https://build.opensuse.org/package/show/utilities/parkverbot?expand=0&rev=23 --- harden_parkverbot.service.patch | 22 ---------------------- parkverbot-1.3.tar.asc | 16 ---------------- parkverbot-1.3.tar.xz | 3 --- parkverbot-1.4.tar.asc | 16 ++++++++++++++++ parkverbot-1.4.tar.xz | 3 +++ parkverbot.changes | 5 +++++ parkverbot.spec | 7 +++---- 7 files changed, 27 insertions(+), 45 deletions(-) delete mode 100644 harden_parkverbot.service.patch delete mode 100644 parkverbot-1.3.tar.asc delete mode 100644 parkverbot-1.3.tar.xz create mode 100644 parkverbot-1.4.tar.asc create mode 100644 parkverbot-1.4.tar.xz diff --git a/harden_parkverbot.service.patch b/harden_parkverbot.service.patch deleted file mode 100644 index 76c21ee..0000000 --- a/harden_parkverbot.service.patch +++ /dev/null @@ -1,22 +0,0 @@ -Index: parkverbot-1.3/src/parkverbot.service -=================================================================== ---- parkverbot-1.3.orig/src/parkverbot.service -+++ parkverbot-1.3/src/parkverbot.service -@@ -2,6 +2,17 @@ - Description=Hard disk head parking inhibitor - - [Service] -+# added automatically, for details please see -+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort -+ProtectSystem=full -+ProtectHome=true -+ProtectHostname=true -+ProtectKernelTunables=true -+ProtectKernelModules=true -+ProtectKernelLogs=true -+ProtectControlGroups=true -+RestrictRealtime=true -+# end of automatic additions - EnvironmentFile=/etc/sysconfig/parkverbot - ExecStart=/usr/sbin/parkverbot $PARKVERBOT_DISKS - Restart=on-abort diff --git a/parkverbot-1.3.tar.asc b/parkverbot-1.3.tar.asc deleted file mode 100644 index b8eec2c..0000000 --- a/parkverbot-1.3.tar.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEI2hsEKRWkb56QlEJ1jiBgfNaCTgFAl9SOg8ACgkQ1jiBgfNa -CThCag//coRNc45+RfjAYRy6/KX50BNvQnxjNuhxG5O+38eEs+MVdzeQj3ouAd8x -MemP+hxNYbkF1htMxt/vMVsyabpmSjfaEGDySsSYBY3NSkYz2Uodqz/nY+PS4PpY -TgdcA1qI3l5L3mLNzwDzl0HJpMo9uSuCZFT8qzibrHhCUJ4DKR/XCLk5To9ngTAJ -OgQ6xzWmhv3n9YsvaWYwZor0Jwqg/+AhN90XI0dyOH9C8s95iM6uYDq/KkCekLsQ -NqOhxtaimfP7vMTi4JMgaaInGWBIl5KEDsTdTePF48F9fL4CVLjBecYeR7YSxxEU -ee1noKarFI54WG3GpvK6hLkjHJCOtSN6GE3lUdQSIuCvxwQaIv0YLKeMEdDT8GN/ -wRyjsNVu41Z31j/OopECvh2Cx9bFuKxB3cpn/vz1L3TQJlObHSnoX5B5vg864RRJ -bKGhP4WFbRxwKCDMxI1z70vqzBgYM3n4BAOrdZ3yBDa+BA/saqBlUs4dhKKhpXpX -IVRQm+3cwAIKuzL0Gxsi8/S+xgmnHy6LdsoNNWiM7Yw9SNyA8HB2M1082+8gI/4Y -UJFLjexgmxElzeMRDY/505O2EA76KaTKsbPjP/gEQOrwyOH5gtRWIGJfLt19gpuZ -uMsFsEUM5c/lYkpH63rdsNtiFHjYd3miyedkHwZymzfBKZa08Bs= -=FGdk ------END PGP SIGNATURE----- diff --git a/parkverbot-1.3.tar.xz b/parkverbot-1.3.tar.xz deleted file mode 100644 index 0a5707f..0000000 --- a/parkverbot-1.3.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:721b4e8c87b3751db4d7adf33f24e4b4af88491626e20b5f5e2f42addd45d848 -size 74356 diff --git a/parkverbot-1.4.tar.asc b/parkverbot-1.4.tar.asc new file mode 100644 index 0000000..d73feca --- /dev/null +++ b/parkverbot-1.4.tar.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEI2hsEKRWkb56QlEJ1jiBgfNaCTgFAmFsVtcACgkQ1jiBgfNa +CTg8Hw//bwV2Da25wS9YU1zyNxp+iKURjLa+pO9wqSoUReCnzQjd4zWcK5TjADAZ +6Ej3t9DIzGd/CXIlo8iFGIyHeirYROIlgiY9VSMjPOgcuBItfSeDUCIRr25TVnj1 +lR0t1GU55FWIloLfTFjZqAorVp/PLSpnHM6Yb/aJENg/6TmPpUz07SYoQPoypws6 +wA7Wt6XOxTHaBfUlugmJqWi3Qn24jUAfNMNG71rBU9I9oebuwOZpJEJzmpKTAfUa +kBqzXcYP+HF/A7Ma8dSObHoCgFmg3J5t8K3rwDGNQJdh+VBUu+8iNtesAgZakBb9 +npA4n738CdF+YRHgmRCv4UX46B6llPcrQvnty/DOM/hkTRBpWYXY60cy44oy9aGB +Mzqb/KUh8iKXeVnP0bh7ef1Yk4Bdh8Id/3FtmiWKSe2XgiAw0q7CxblweuWtnqwp +8llyrEXWneBrVeGFO9TWpRokfI2Wz7dAG+/6YRX0D5NtHW+o24hle5ORw17CeRlX +zTl7x5MyNmmdVfM8Ag3x731fmmujaZBZoMQI3IG7xUdlgwYZjZDpzkNHqqWdX0sH +A66lsHhtOs1v9DWeboa9UDWhOk2oloR6IRVjALXjAxEBjamicen2YZcJ/mvbJSMy ++QTffp8wwZZrMLNCCOb2Zxgyu/JzclhIOCoznYwZjTO2c+bmm5A= +=tvAA +-----END PGP SIGNATURE----- diff --git a/parkverbot-1.4.tar.xz b/parkverbot-1.4.tar.xz new file mode 100644 index 0000000..26a7750 --- /dev/null +++ b/parkverbot-1.4.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f8a1c2bbcf5821e677e50e59ad8cf281c6750f9410fd87939c7235f045b3afea +size 75460 diff --git a/parkverbot.changes b/parkverbot.changes index 1c5850f..32be0db 100644 --- a/parkverbot.changes +++ b/parkverbot.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Sun Oct 17 17:05:44 UTC 2021 - Jan Engelhardt + +- Drop harden_parkverbot.service.patch (merged upstream) + ------------------------------------------------------------------- Thu Oct 14 10:40:22 UTC 2021 - Johannes Segitz diff --git a/parkverbot.spec b/parkverbot.spec index 5e61d62..b34f1ef 100644 --- a/parkverbot.spec +++ b/parkverbot.spec @@ -1,7 +1,7 @@ # # spec file for package parkverbot # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: parkverbot -Version: 1.3 +Version: 1.4 Release: 0 Summary: Daemon to prevent hard disk head parking in rotational media License: GPL-2.0-or-later @@ -28,11 +28,10 @@ URL: https://inai.de/projects/parkverbot/ Source: https://inai.de/files/parkverbot/%name-%version.tar.xz Source2: https://inai.de/files/parkverbot/%name-%version.tar.asc Source3: %name.keyring -Patch0: harden_parkverbot.service.patch BuildRequires: pkg-config >= 0.23 BuildRequires: systemd-rpm-macros BuildRequires: xz -BuildRequires: pkgconfig(libHX) >= 3.12 +BuildRequires: pkgconfig(libHX) >= 4.2 %description Modern rotational hard disks have a misfeature involving the regular