Accepting request 933493 from network

OBS-URL: https://build.opensuse.org/request/show/933493
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/syncthing?expand=0&rev=115

harden_strelaysrv.service.patch

@@ -0,0 +1,20 @@
+Index: syncthing/cmd/strelaysrv/etc/linux-systemd/strelaysrv.service
+===================================================================
+--- syncthing.orig/cmd/strelaysrv/etc/linux-systemd/strelaysrv.service
++++ syncthing/cmd/strelaysrv/etc/linux-systemd/strelaysrv.service
+@@ -17,6 +17,15 @@ NoNewPrivileges=true
+ PrivateTmp=true
+ PrivateDevices=true
+ ProtectHome=true
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ SystemCallArchitectures=native
+ MemoryDenyWriteExecute=true
+ 

harden_syncthing-resume.service.patch

@@ -0,0 +1,22 @@
+Index: syncthing/etc/linux-systemd/system/syncthing-resume.service
+===================================================================
+--- syncthing.orig/etc/linux-systemd/system/syncthing-resume.service
++++ syncthing/etc/linux-systemd/system/syncthing-resume.service
+@@ -4,6 +4,17 @@ Documentation=man:syncthing(1)
+ After=sleep.target
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Type=oneshot
+ ExecStart=-/usr/bin/pkill -HUP -x syncthing
+ 

harden_syncthing@.service.patch

@@ -0,0 +1,22 @@
+Index: syncthing/etc/linux-systemd/system/syncthing@.service
+===================================================================
+--- syncthing.orig/etc/linux-systemd/system/syncthing@.service
++++ syncthing/etc/linux-systemd/system/syncthing@.service
+@@ -16,6 +16,17 @@ RestartForceExitStatus=3 4
+ # Hardening
+ ProtectSystem=full
+ PrivateTmp=true
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ SystemCallArchitectures=native
+ MemoryDenyWriteExecute=true
+ NoNewPrivileges=true

syncthing.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Nov 24 10:16:04 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_strelaysrv.service.patch
+  * harden_syncthing-resume.service.patch
+  * harden_syncthing@.service.patch
+
 -------------------------------------------------------------------
 Tue Nov  2 20:13:46 UTC 2021 - Marius Kittler <marius.kittler@suse.com>
 

syncthing.spec

@@ -26,6 +26,9 @@ URL:            https://syncthing.net/
 Source:         https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-source-v%{version}.tar.gz
 Source1:        https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-source-v%{version}.tar.gz.asc
 Source2:        %{name}.keyring
+Patch0:	harden_strelaysrv.service.patch
+Patch1:	harden_syncthing-resume.service.patch
+Patch2:	harden_syncthing@.service.patch
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  golang(API) >= 1.14
 BuildRequires:  pkgconfig(systemd)
@@ -49,6 +52,9 @@ joined to the syncthing relay pool or private.
 
 %prep
 %setup -q -n %{name}
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
 
 %build
 # move source archive which is extracted as "syncthing" to be "src/github.com/syncthing/syncthing"