diff --git a/harden_fence_sanlockd.service.patch b/harden_fence_sanlockd.service.patch new file mode 100644 index 0000000..924b2fa --- /dev/null +++ b/harden_fence_sanlockd.service.patch @@ -0,0 +1,22 @@ +Index: sanlock-3.8.4/init.d/fence_sanlockd.service +=================================================================== +--- sanlock-3.8.4.orig/init.d/fence_sanlockd.service ++++ sanlock-3.8.4/init.d/fence_sanlockd.service +@@ -4,6 +4,17 @@ After=syslog.target wdmd.service sanlock + Before=corosync.service + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=forking + ExecStart=/usr/lib/systemd/systemd-fence_sanlockd start + ExecStop=/usr/lib/systemd/systemd-fence_sanlockd stop diff --git a/harden_sanlk-resetd.service.patch b/harden_sanlk-resetd.service.patch new file mode 100644 index 0000000..f0898e5 --- /dev/null +++ b/harden_sanlk-resetd.service.patch @@ -0,0 +1,22 @@ +Index: sanlock-3.8.4/init.d/sanlk-resetd.service +=================================================================== +--- sanlock-3.8.4.orig/init.d/sanlk-resetd.service ++++ sanlock-3.8.4/init.d/sanlk-resetd.service +@@ -4,6 +4,17 @@ After=wdmd.service sanlock.service + Requires=wdmd.service sanlock.service + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=forking + ExecStart=/usr/sbin/sanlk-resetd + diff --git a/sanlock.changes b/sanlock.changes index 8f87b4e..592337f 100644 --- a/sanlock.changes +++ b/sanlock.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Nov 16 14:08:25 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_fence_sanlockd.service.patch + * harden_sanlk-resetd.service.patch + ------------------------------------------------------------------- Wed Jun 9 19:58:35 UTC 2021 - James Fehlig diff --git a/sanlock.spec b/sanlock.spec index d1973c6..b63b278 100644 --- a/sanlock.spec +++ b/sanlock.spec @@ -1,5 +1,5 @@ # -# spec file +# spec file for package sanlock # # Copyright (c) 2021 SUSE LLC # @@ -62,6 +62,8 @@ Patch100: sanlock-SCHED_RESET_ON_FORK-undefined.patch Patch101: sanlock-python-prefix.patch Patch102: suse-systemd.patch Patch103: suse-no-date-time.patch +Patch104: harden_fence_sanlockd.service.patch +Patch105: harden_sanlk-resetd.service.patch BuildRequires: %{python_module devel} BuildRequires: libaio-devel BuildRequires: pkgconfig @@ -141,6 +143,8 @@ common sanlock lockspace. %patch101 %patch102 -p1 %patch103 -p1 +%patch104 -p1 +%patch105 -p1 %build %if ! %{with python}