diff --git a/harden_parsec.service.patch b/harden_parsec.service.patch new file mode 100644 index 0000000..d8bb41d --- /dev/null +++ b/harden_parsec.service.patch @@ -0,0 +1,22 @@ +Index: parsec-0.8.0/systemd-daemon/parsec.service +=================================================================== +--- parsec-0.8.0.orig/systemd-daemon/parsec.service ++++ parsec-0.8.0/systemd-daemon/parsec.service +@@ -3,6 +3,17 @@ Description=Parsec Service + Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + WorkingDirectory=/home/parsec/ + ExecStart=/usr/libexec/parsec/parsec --config /etc/parsec/config.toml + diff --git a/parsec.changes b/parsec.changes index 3bb6b50..7b1c196 100644 --- a/parsec.changes +++ b/parsec.changes @@ -4,6 +4,14 @@ Thu Dec 9 11:05:48 UTC 2021 - Guillaume GARDET - Fix /run/parsec permission to 755. This is enough for all users to access the service - boo#1193484 - CVE-2021-36781 +------------------------------------------------------------------- +Fri Oct 15 07:01:37 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_parsec.service.patch + Modified: + * parsec.service + ------------------------------------------------------------------- Mon Sep 27 10:18:08 UTC 2021 - Guillaume GARDET diff --git a/parsec.service b/parsec.service index 0e708c1..96ec679 100644 --- a/parsec.service +++ b/parsec.service @@ -3,6 +3,17 @@ Description=Parsec Service Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=notify KillMode=process Restart=on-failure diff --git a/parsec.spec b/parsec.spec index 57eb534..08b567c 100644 --- a/parsec.spec +++ b/parsec.spec @@ -33,6 +33,7 @@ Source4: config.toml Source5: parsec.conf Source6: system-user-parsec.conf Source10: https://git.trustedfirmware.org/TS/trusted-services.git/snapshot/trusted-services-c1cf912.tar.gz +Patch0: harden_parsec.service.patch BuildRequires: cargo BuildRequires: clang-devel BuildRequires: cmake @@ -75,6 +76,7 @@ sed -i -e 's#default = \["unix-peer-credentials-authenticator"\]##' Cargo.toml # all-authenticators = ["direct-authenticator", "unix-peer-credentials-authenticator", "jwt-svid-authenticator"] # But disable "trusted-service-provider" until we have a trusted-services package echo 'default = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider", "cryptoauthlib-provider", "all-authenticators"]' >> Cargo.toml +%patch0 -p1 %build export PROTOC=%{_bindir}/protoc