Accepting request 925351 from home:jsegitz:branches:systemdhardening:security

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/925351 OBS-URL: https://build.opensuse.org/package/show/security/parsec?expand=0&rev=16
2021-12-21 15:09:55 +00:00 · 2021-12-21 15:09:55 +00:00 · fad872c73b
commit fad872c73b
parent 30810bef27
4 changed files with 43 additions and 0 deletions
--- a/harden_parsec.service.patch
+++ b/harden_parsec.service.patch
@ -0,0 +1,22 @@
+Index: parsec-0.8.0/systemd-daemon/parsec.service
+===================================================================
+--- parsec-0.8.0.orig/systemd-daemon/parsec.service
+++ parsec-0.8.0/systemd-daemon/parsec.service
+@@ -3,6 +3,17 @@ Description=Parsec Service
+ Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ WorkingDirectory=/home/parsec/
+ ExecStart=/usr/libexec/parsec/parsec --config /etc/parsec/config.toml
+ 
--- a/parsec.changes
+++ b/parsec.changes
@ -4,6 +4,14 @@ Thu Dec  9 11:05:48 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org>
 - Fix /run/parsec permission to 755. This is enough for all
  users to access the service - boo#1193484 - CVE-2021-36781

+-------------------------------------------------------------------
+Fri Oct 15 07:01:37 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_parsec.service.patch
+  Modified:
+  * parsec.service
+
 -------------------------------------------------------------------
 Mon Sep 27 10:18:08 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org>

--- a/parsec.service
+++ b/parsec.service
@ -3,6 +3,17 @@ Description=Parsec Service
 Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html

 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=notify
 KillMode=process
 Restart=on-failure
--- a/parsec.spec
+++ b/parsec.spec
@ -33,6 +33,7 @@ Source4:        config.toml
 Source5:        parsec.conf
 Source6:        system-user-parsec.conf
 Source10:       https://git.trustedfirmware.org/TS/trusted-services.git/snapshot/trusted-services-c1cf912.tar.gz
+Patch0:	harden_parsec.service.patch
 BuildRequires:  cargo
 BuildRequires:  clang-devel
 BuildRequires:  cmake
@ -75,6 +76,7 @@ sed -i -e 's#default = \["unix-peer-credentials-authenticator"\]##' Cargo.toml
 # all-authenticators = ["direct-authenticator", "unix-peer-credentials-authenticator", "jwt-svid-authenticator"]
 # But disable "trusted-service-provider" until we have a trusted-services package
 echo 'default = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider", "cryptoauthlib-provider", "all-authenticators"]' >> Cargo.toml
+%patch0 -p1

 %build
 export PROTOC=%{_bindir}/protoc