Accepting request 933481 from home:jsegitz:branches:systemdhardening:network:vpn

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/933481 OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=129
2021-11-27 14:21:41 +00:00 · 2021-11-27 14:21:41 +00:00 · 0e5610efdc
commit 0e5610efdc
parent 9d37f89cf7
3 changed files with 30 additions and 0 deletions
--- a/harden_strongswan.service.patch
+++ b/harden_strongswan.service.patch
@ -0,0 +1,22 @@
+Index: strongswan-5.9.3/init/systemd/strongswan.service.in
+===================================================================
+--- strongswan-5.9.3.orig/init/systemd/strongswan.service.in
+++ strongswan-5.9.3/init/systemd/strongswan.service.in
+@@ -3,6 +3,17 @@ Description=strongSwan IPsec IKEv1/IKEv2
+ After=network-online.target
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=notify
+ ExecStart=@SBINDIR@/charon-systemd
+ ExecStartPost=@SBINDIR@/swanctl --load-all --noprompt
--- a/strongswan.changes
+++ b/strongswan.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Nov 24 08:25:29 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_strongswan.service.patch
+
 -------------------------------------------------------------------
 Mon Nov 22 16:19:08 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>

--- a/strongswan.spec
+++ b/strongswan.spec
@ -80,6 +80,7 @@ Patch2:         %{name}_ipsec_service.patch
 Patch3:         %{name}_fipscheck.patch
 %endif
 Patch5:         0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
+Patch6:	harden_strongswan.service.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison
 BuildRequires:  curl-devel
@ -267,6 +268,7 @@ sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \
     < %{_sourcedir}/fipscheck.sh.in        \
     > _fipscheck
 %endif
+%patch6 -p1

 %build
 CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"