From 4ee457e764a92845fdc7af4504da2875c6e386a2ab31bb86ff3cb8ec6e2fe70e Mon Sep 17 00:00:00 2001 From: Marius Kittler Date: Wed, 24 Nov 2021 15:24:44 +0000 Subject: [PATCH] Accepting request 933476 from home:jsegitz:branches:systemdhardening:network Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/933476 OBS-URL: https://build.opensuse.org/package/show/network/syncthing?expand=0&rev=226 --- harden_strelaysrv.service.patch | 20 ++++++++++++++++++++ harden_syncthing-resume.service.patch | 22 ++++++++++++++++++++++ harden_syncthing@.service.patch | 22 ++++++++++++++++++++++ syncthing.changes | 8 ++++++++ syncthing.spec | 6 ++++++ 5 files changed, 78 insertions(+) create mode 100644 harden_strelaysrv.service.patch create mode 100644 harden_syncthing-resume.service.patch create mode 100644 harden_syncthing@.service.patch diff --git a/harden_strelaysrv.service.patch b/harden_strelaysrv.service.patch new file mode 100644 index 0000000..75ebbe1 --- /dev/null +++ b/harden_strelaysrv.service.patch @@ -0,0 +1,20 @@ +Index: syncthing/cmd/strelaysrv/etc/linux-systemd/strelaysrv.service +=================================================================== +--- syncthing.orig/cmd/strelaysrv/etc/linux-systemd/strelaysrv.service ++++ syncthing/cmd/strelaysrv/etc/linux-systemd/strelaysrv.service +@@ -17,6 +17,15 @@ NoNewPrivileges=true + PrivateTmp=true + PrivateDevices=true + ProtectHome=true ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectHostname=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + SystemCallArchitectures=native + MemoryDenyWriteExecute=true + diff --git a/harden_syncthing-resume.service.patch b/harden_syncthing-resume.service.patch new file mode 100644 index 0000000..ce90e37 --- /dev/null +++ b/harden_syncthing-resume.service.patch @@ -0,0 +1,22 @@ +Index: syncthing/etc/linux-systemd/system/syncthing-resume.service +=================================================================== +--- syncthing.orig/etc/linux-systemd/system/syncthing-resume.service ++++ syncthing/etc/linux-systemd/system/syncthing-resume.service +@@ -4,6 +4,17 @@ Documentation=man:syncthing(1) + After=sleep.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=oneshot + ExecStart=-/usr/bin/pkill -HUP -x syncthing + diff --git a/harden_syncthing@.service.patch b/harden_syncthing@.service.patch new file mode 100644 index 0000000..20740fe --- /dev/null +++ b/harden_syncthing@.service.patch @@ -0,0 +1,22 @@ +Index: syncthing/etc/linux-systemd/system/syncthing@.service +=================================================================== +--- syncthing.orig/etc/linux-systemd/system/syncthing@.service ++++ syncthing/etc/linux-systemd/system/syncthing@.service +@@ -16,6 +16,17 @@ RestartForceExitStatus=3 4 + # Hardening + ProtectSystem=full + PrivateTmp=true ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + SystemCallArchitectures=native + MemoryDenyWriteExecute=true + NoNewPrivileges=true diff --git a/syncthing.changes b/syncthing.changes index 8a4a489..0e3bbeb 100644 --- a/syncthing.changes +++ b/syncthing.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Nov 24 10:16:04 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_strelaysrv.service.patch + * harden_syncthing-resume.service.patch + * harden_syncthing@.service.patch + ------------------------------------------------------------------- Tue Nov 2 20:13:46 UTC 2021 - Marius Kittler diff --git a/syncthing.spec b/syncthing.spec index aa8d5f5..82e0d98 100644 --- a/syncthing.spec +++ b/syncthing.spec @@ -26,6 +26,9 @@ URL: https://syncthing.net/ Source: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-source-v%{version}.tar.gz Source1: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-source-v%{version}.tar.gz.asc Source2: %{name}.keyring +Patch0: harden_strelaysrv.service.patch +Patch1: harden_syncthing-resume.service.patch +Patch2: harden_syncthing@.service.patch BuildRequires: systemd-rpm-macros BuildRequires: golang(API) >= 1.14 BuildRequires: pkgconfig(systemd) @@ -49,6 +52,9 @@ joined to the syncthing relay pool or private. %prep %setup -q -n %{name} +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build # move source archive which is extracted as "syncthing" to be "src/github.com/syncthing/syncthing"