diff --git a/harden_rpcbind.service.patch b/harden_rpcbind.service.patch new file mode 100644 index 0000000..0f47a8d --- /dev/null +++ b/harden_rpcbind.service.patch @@ -0,0 +1,24 @@ +Index: rpcbind-1.2.6/systemd/rpcbind.service.in +=================================================================== +--- rpcbind-1.2.6.orig/systemd/rpcbind.service.in ++++ rpcbind-1.2.6/systemd/rpcbind.service.in +@@ -11,6 +11,19 @@ Wants=rpcbind.target + After=sysinit.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=notify + # distro can provide a drop-in adding EnvironmentFile=-/??? if needed. + EnvironmentFile=-/etc/sysconfig/rpcbind diff --git a/rpcbind.changes b/rpcbind.changes index ffd8b99..88d7484 100644 --- a/rpcbind.changes +++ b/rpcbind.changes @@ -8,6 +8,12 @@ Tue Dec 27 13:16:20 UTC 2022 - Ludwig Nussel - Replace transitional %usrmerged macro with regular version check (boo#1206798) +------------------------------------------------------------------- +Tue Nov 16 07:39:53 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_rpcbind.service.patch + ------------------------------------------------------------------- Mon Jun 21 15:44:17 UTC 2021 - Callum Farmer diff --git a/rpcbind.spec b/rpcbind.spec index 833c3e3..173939d 100644 --- a/rpcbind.spec +++ b/rpcbind.spec @@ -33,6 +33,7 @@ Source2: sysconfig.rpcbind Source5: rpc-user.conf Patch1: 0001-systemd-unit-files.patch Patch2: 0001-change-lockingdir-to-run.patch +Patch3: harden_rpcbind.service.patch BuildRequires: libtirpc-devel >= 1.0.1 BuildRequires: libtool BuildRequires: pkgconfig