Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package shadowsocks-libev for
openSUSE:Factory checked in at 2026-05-27 16:13:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shadowsocks-libev (Old)
and /work/SRC/openSUSE:Factory/.shadowsocks-libev.new.1937 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shadowsocks-libev"
Wed May 27 16:13:50 2026 rev:27 rq:1354961 version:3.3.6
Changes:
--------
--- /work/SRC/openSUSE:Factory/shadowsocks-libev/shadowsocks-libev.changes
2026-05-05 15:16:32.898071324 +0200
+++
/work/SRC/openSUSE:Factory/.shadowsocks-libev.new.1937/shadowsocks-libev.changes
2026-05-27 16:14:15.666266995 +0200
@@ -1,0 +2,17 @@
+Mon May 18 13:17:48 UTC 2026 - Hillwood Yang <[email protected]>
+
+- Comprehensive systemd service hardening (bnc#1212862 and boo#1263916)
+ * Add CAP_DAC_READ_SEARCH to AmbientCapabilities/CapabilityBoundingSet
+ to allow reading certificates from restricted dynamic paths.
+ * Ensures v2ray-plugin can access Let's Encrypt keys reliably.
+ * Restrict root powers using CapabilityBoundingSet (minimal privileges).
+ * Isolate filesystem via ProtectSystem=full and ProtectHome=true.
+ * Whitelist binary and config access with ReadOnlyPaths.
+ * Disable kernel/device modifications (ProtectKernel*, PrivateDevices).
+ * Introduce SELinux and AppArmor as optional security hardening schemes,
+ and add shadowsocks-libev-selinux and shadowsocks-libev-apparmory
+ subpackages.
+- Integrate shadowsocks-sysuser for proper non-privileged user handling
+ (boo#1264355).
+
+-------------------------------------------------------------------
Old:
----
shadowsocks-libev.tmpfiles
New:
----
shadowsocks-libev.apparmor
shadowsocks-libev.fc
shadowsocks-libev.te
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shadowsocks-libev.spec ++++++
--- /var/tmp/diff_new_pack.832tlx/_old 2026-05-27 16:14:17.362336869 +0200
+++ /var/tmp/diff_new_pack.832tlx/_new 2026-05-27 16:14:17.362336869 +0200
@@ -17,6 +17,15 @@
#
+%global selinuxtype targeted
+%if 0%{?suse_version} >= 1600
+%bcond_without selinux
+%bcond_without apparmor
+%else
+%bcond_with selinux
+%bcond_without apparmor
+%endif
+
%define libver 2
Name: shadowsocks-libev
Version: 3.3.6
@@ -38,19 +47,29 @@
Source10: %{name}[email protected]
Source11: %{name}[email protected]
Source12: %{name}[email protected]
-Source13: %{name}.tmpfiles
+Source13: %{name}.apparmor
+Source14: %{name}.te
+Source15: %{name}.fc
Source99:
https://github.com/shadowsocks/libbloom/archive/437e1add5a2b9a87797d8c648df7cf5f3ee155a8/libbloom-437e1ad.tar.gz
Source100:
https://github.com/shadowsocks/libcork/archive/074e074b26e9e372e90e6ade215217763c8644aa/libcork-074e074.tar.gz
Source101:
https://github.com/shadowsocks/ipset/archive/3ea7fe30adf4b39b27d932e5a70a2ddce4adb508/ipset-3ea7fe3.tar.gz
# PATCH-FIX-UPSTREAM shadowsocks-libev-gcc13-compat.patch
[email protected] - Fix build with gcc 13
Patch0: shadowsocks-libev-gcc13-compat.patch
+BuildRequires: apparmor-abstractions
+BuildRequires: apparmor-rpm-macros
BuildRequires: asciidoc
+BuildRequires: checkpolicy
+BuildRequires: checkpolicy
BuildRequires: cmake
BuildRequires: gcc
BuildRequires: gcc-c++
+BuildRequires: libapparmor-devel
BuildRequires: mbedtls-devel
BuildRequires: pkgconfig
+BuildRequires: selinux-policy-devel
+BuildRequires: shadowsocks-common-selinux
BuildRequires: systemd-rpm-macros
+BuildRequires: sysuser-tools
BuildRequires: xmlto
BuildRequires: pkgconfig(libcares)
BuildRequires: pkgconfig(libev)
@@ -58,7 +77,7 @@
BuildRequires: pkgconfig(libsodium) >= 1.0.4
BuildRequires: pkgconfig(mbedtls)
BuildRequires: pkgconfig(openssl)
-BuildRequires: pkgconfig(systemd)
+Requires(pre): shadowsocks-sysuser
Requires(pre): shadow
Recommends: shadowsocks-v2ray-plugin
%{?systemd_ordering}
@@ -89,6 +108,26 @@
This package provides Documents for it.
+%package apparmor
+Summary: Apparmor profile for %{name}
+BuildArch: noarch
+Requires: %{name} = %{version}-%{release}
+Supplements: (shadowsocks-libev and apparmor-abstractions)
+
+%description apparmor
+This package adds the Apparmor profile to %{name}
+
+%package selinux
+Summary: Selinux support for %{name}
+BuildArch: noarch
+Requires: %{name} = %{version}-%{release}
+Requires: selinux-policy-targeted
+Requires: shadowsocks-common-selinux
+Supplements: (shadowsocks-libev and selinux-policy-targeted)
+
+%description selinux
+This package adds SELinux enforcement to %{name}.
+
%package devel
Summary: Development headers for shadowsocks-libev
Group: Development/Libraries/C and C++
@@ -109,12 +148,19 @@
mv libbloom-437e1add5a2b9a87797d8c648df7cf5f3ee155a8 libbloom
mv libcork-074e074b26e9e372e90e6ade215217763c8644aa libcork
mv ipset-3ea7fe30adf4b39b27d932e5a70a2ddce4adb508 libipset
+cp %{SOURCE14} shadowsocks_libev.te
+cp %{SOURCE15} shadowsocks_libev.fc
%build
+make -f %{_datadir}/selinux/devel/Makefile shadowsocks_libev.pp
+
%cmake -DWITH_STATIC=OFF
%cmake_build
%install
+install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+install -m 0644 shadowsocks_libev.pp
%{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/shadowsocks_libev.pp
+
%cmake_install
find %{buildroot} -type f -name "*.la" -delete -print
@@ -135,9 +181,6 @@
install -m 644 %{SOURCE11} %{buildroot}%{_unitdir}
install -m 644 %{SOURCE12} %{buildroot}%{_unitdir}
-mkdir -p %{buildroot}%{_tmpfilesdir}
-install -m 644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/%{name}.conf
-
mkdir -p %{buildroot}%{_sbindir}
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcshadowsocks-libev-client
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcshadowsocks-libev-server
@@ -151,6 +194,9 @@
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcshadowsocks-libev-redir@
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcshadowsocks-libev-tunnel@
+install -d %{buildroot}%{_sysconfdir}/apparmor.d
+install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/apparmor.d/%{name}
+
%pre
%service_add_pre %{name}-server.service
%service_add_pre %{name}-client.service
@@ -163,10 +209,6 @@
%service_add_pre %{name}[email protected]
%service_add_pre %{name}[email protected]
%service_add_pre %{name}[email protected]
-getent group shadowsocks >/dev/null || %{_sbindir}/groupadd --system
shadowsocks
-getent passwd shadowsocks >/dev/null || %{_sbindir}/useradd --system -c
"shadowsocks User" \
- -d %{_localstatedir}/shadowsocks -m -g shadowsocks -s
%{_sbindir}/nologin \
- shadowsocks
%post
%service_add_post %{name}-server.service
@@ -180,9 +222,6 @@
%service_add_post %{name}[email protected]
%service_add_post %{name}[email protected]
%service_add_post %{name}[email protected]
-chown root:shadowsocks %{_sysconfdir}/shadowsocks -R
-chmod 750 %{_sysconfdir}/shadowsocks
-chmod 640 %{_sysconfdir}/shadowsocks/*
%preun
%service_del_preun %{name}-server.service
@@ -210,13 +249,36 @@
%service_del_postun %{name}[email protected]
%service_del_postun %{name}[email protected]
+%post apparmor
+%apparmor_reload %{_sysconfdir}/apparmor.d/%{name}
+
+%preun apparmor
+if [ -d %{_sysconfdir}/apparmor.d ] && [ -d /sys/kernel/security/apparmor ];
then
+ %apparmor_reload %{_sysconfdir}/apparmor.d/%{name}
+fi
+
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype}
%{_datadir}/selinux/packages/%{selinuxtype}/shadowsocks_libev.pp
+%selinux_relabel_post -s %{selinuxtype}
+
+%preun selinux
+if [ $1 -eq 0 ]; then
+ %selinux_modules_uninstall -s %{selinuxtype} shadowsocks_libev
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+
%ldconfig_scriptlets -n lib%{name}2
%files
%doc Changes README.md AUTHORS
-%dir %{_sysconfdir}/shadowsocks
-%config(noreplace) %{_sysconfdir}/shadowsocks/%{name}-config.json
%license COPYING
+%attr(750,root,shadowsocks) %dir %{_sysconfdir}/shadowsocks
+%attr(640,root,shadowsocks) %config(noreplace)
%{_sysconfdir}/shadowsocks/%{name}-config.json
%{_bindir}/ss-local
%{_bindir}/ss-redir
%{_bindir}/ss-server
@@ -228,12 +290,21 @@
%{_mandir}/man1/ss-*.1%{?ext_man}
%{_sbindir}/rcshadowsocks-libev-*
%{_unitdir}/%{name}-*.service
-%{_tmpfilesdir}/%{name}.conf
%files -n lib%{name}%{libver}
%license COPYING
%{_libdir}/lib%{name}.so.*
+%files apparmor
+%license COPYING
+%config %{_sysconfdir}/apparmor.d/%{name}
+
+%files selinux
+%license COPYING
+%{_datadir}/selinux/packages/targeted/shadowsocks_libev.pp
+
+%files devel
+
%files doc
%license COPYING
%dir %{_datadir}/doc/%{name}
++++++ shadowsocks-libev-server.service ++++++
--- /var/tmp/diff_new_pack.832tlx/_old 2026-05-27 16:14:17.530343790 +0200
+++ /var/tmp/diff_new_pack.832tlx/_new 2026-05-27 16:14:17.534343955 +0200
@@ -6,6 +6,10 @@
[Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
+PermissionsStartOnly=false
+ReadOnlyPaths=/etc/shadowsocks/ /etc/letsencrypt/ /usr/bin/ss-server
/usr/bin/v2ray-plugin /usr/bin/xray-plugin
ProtectSystem=full
ProtectHome=true
PrivateDevices=true
++++++ [email protected] ++++++
--- /var/tmp/diff_new_pack.832tlx/_old 2026-05-27 16:14:17.566345274 +0200
+++ /var/tmp/diff_new_pack.832tlx/_new 2026-05-27 16:14:17.570345438 +0200
@@ -6,6 +6,10 @@
[Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
+PermissionsStartOnly=false
+ReadOnlyPaths=/etc/shadowsocks/ /etc/letsencrypt/ /usr/bin/ss-server
/usr/bin/v2ray-plugin /usr/bin/xray-plugin
ProtectSystem=full
ProtectHome=true
PrivateDevices=true
++++++ shadowsocks-libev.apparmor ++++++
#include <tunables/global>
/usr/bin/ss-server {
# Inherit basic permissions (e.g., loading shared libraries)
#include <abstractions/base>
#include <abstractions/nameservice>
# Allow reading configuration files
/etc/shadowsocks/*.json r,
# Allow reading certificate paths and creating PID file (Recursive read +
path traversal/search)
/etc/letsencrypt/** r,
/run/shadowsocks/ r,
/run/shadowsocks/** rw,
# Network operations
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
# Explicitly deny access to sensitive paths
# (Blocked even if CAP_DAC_READ_SEARCH is present)
deny /etc/shadow r,
deny /etc/gshadow r,
deny /root/** r,
deny /home/** r,
# Allow execution of plugins (e.g., v2ray-plugin)
/usr/bin/v2ray-plugin ix,
/usr/bin/xray-plugin ix,
}
(No newline at EOF)
++++++ shadowsocks-libev.fc ++++++
/usr/bin/ss-server -- system_u:object_r:shadowsocks_libev_exec_t:s0
(No newline at EOF)
++++++ shadowsocks-libev.te ++++++
policy_module(shadowsocks_libev, 1.0)
require {
type etc_t;
type cert_t;
type node_t;
type var_run_t;
type systemd_socket_proxyd_t;
type shadowsocks_config_t;
attribute initrc_domain;
type bin_t;
type shell_exec_t;
type lo_node_t;
type inaddr_any_node_t;
attribute port_type;
type random_device_t;
type sysfs_t;
type cgroup_t;
type sysctl_net_t;
class chr_file { read getattr open };
class unix_dgram_socket { create connect sendto };
class capability { sys_resource };
class file { read open getattr write create unlink entrypoint map execute
ioctl lock };
class fifo_file { getattr read write ioctl };
class dir { search getattr write add_name remove_name read };
class lnk_file { read getattr };
class process { transition sigchld signull };
class tcp_socket { create bind node_bind name_bind listen accept connect
setopt getopt getattr setattr read write ioctl };
class udp_socket { create bind node_bind name_bind getattr setattr read
write connect setopt getopt listen accept };
class unix_stream_socket { connectto };
}
# ===================================================================
# Define shadowsocks-libev SPECIFIC domains
# ===================================================================
type shadowsocks_libev_t;
type shadowsocks_libev_exec_t;
init_daemon_domain(shadowsocks_libev_t, shadowsocks_libev_exec_t)
# ===================================================================
# File and Directory Access Rules
# ===================================================================
allow shadowsocks_libev_t cert_t:dir { search getattr };
allow shadowsocks_libev_t cert_t:file { read open getattr };
allow shadowsocks_libev_t cert_t:lnk_file { read getattr };
allow shadowsocks_libev_t etc_t:dir search;
allow shadowsocks_libev_t shadowsocks_config_t:dir { read search getattr };
allow shadowsocks_libev_t shadowsocks_config_t:file { read open getattr };
files_pid_filetrans(shadowsocks_libev_t, var_run_t, dir)
files_pid_filetrans(shadowsocks_libev_t, var_run_t, file)
allow shadowsocks_libev_t var_run_t:dir { search getattr write add_name
remove_name };
allow shadowsocks_libev_t var_run_t:file { read open getattr write create
unlink };
# ===================================================================
# System Initializations (Random, Logging, Sysfs)
# ===================================================================
allow shadowsocks_libev_t random_device_t:chr_file { read getattr open };
allow shadowsocks_libev_t self:unix_dgram_socket { create connect sendto };
allow shadowsocks_libev_t sysfs_t:file { read open getattr };
allow shadowsocks_libev_t cgroup_t:dir search;
allow shadowsocks_libev_t sysctl_net_t:dir search;
# ===================================================================
# Network Communication Rules (TCP & UDP)
# ===================================================================
allow shadowsocks_libev_t port_type:tcp_socket { name_bind connect };
allow shadowsocks_libev_t port_type:udp_socket { name_bind };
allow shadowsocks_libev_t { node_t lo_node_t inaddr_any_node_t }:tcp_socket {
node_bind };
allow shadowsocks_libev_t self:tcp_socket { create bind listen accept connect
setopt getopt getattr setattr read write ioctl };
allow shadowsocks_libev_t { node_t lo_node_t inaddr_any_node_t }:udp_socket {
node_bind };
allow shadowsocks_libev_t self:udp_socket { create bind getattr setattr read
write connect setopt getopt listen accept };
# ===================================================================
# Core Kernel Capabilities
# ===================================================================
allow shadowsocks_libev_t self:capability { sys_resource };
# ===================================================================
# Plugin Execution Rules (SIP003 Plugins like v2ray-plugin)
# ===================================================================
allow shadowsocks_libev_t bin_t:dir { search getattr };
allow shadowsocks_libev_t bin_t:lnk_file { read getattr };
allow shadowsocks_libev_t bin_t:file { read open getattr execute
execute_no_trans map };
allow shadowsocks_libev_t shell_exec_t:file { read open getattr execute
execute_no_trans map };
allow shadowsocks_libev_t self:fifo_file { read write getattr ioctl };
# ===================================================================
# DNS Name Resolution
# ===================================================================
sysnet_dns_name_resolve(shadowsocks_libev_t)
(No newline at EOF)
