diff --git a/harden_sssd-ifp.service.patch b/harden_sssd-ifp.service.patch new file mode 100644 index 0000000..250a49f --- /dev/null +++ b/harden_sssd-ifp.service.patch @@ -0,0 +1,24 @@ +Index: sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in +=================================================================== +--- sssd-2.5.2.orig/src/sysv/systemd/sssd-ifp.service.in ++++ sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in +@@ -5,6 +5,19 @@ After=sssd.service + BindsTo=sssd.service + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Environment=DEBUG_LOGGER=--logger=files + EnvironmentFile=-@environment_file@ + Type=dbus diff --git a/harden_sssd-kcm.service.patch b/harden_sssd-kcm.service.patch new file mode 100644 index 0000000..183e0b0 --- /dev/null +++ b/harden_sssd-kcm.service.patch @@ -0,0 +1,24 @@ +Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +=================================================================== +--- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in ++++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +@@ -8,6 +8,19 @@ After=sssd-kcm.socket + Also=sssd-kcm.socket + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Environment=DEBUG_LOGGER=--logger=files + ExecStartPre=-@sbindir@/sssd --genconf-section=kcm + ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER} diff --git a/sssd.changes b/sssd.changes index d0ecbb7..c52be41 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Nov 23 16:11:48 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_sssd-ifp.service.patch + * harden_sssd-kcm.service.patch + ------------------------------------------------------------------- Tue Nov 9 15:35:58 UTC 2021 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index d3c46a4..63d8953 100644 --- a/sssd.spec +++ b/sssd.spec @@ -29,6 +29,8 @@ Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%v Source3: baselibs.conf Source5: %name.keyring Patch1: krb-noversion.diff +Patch2: harden_sssd-ifp.service.patch +Patch3: harden_sssd-kcm.service.patch BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils