Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package bitcoin for openSUSE:Factory checked in at 2021-08-27 21:44:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bitcoin (Old) and /work/SRC/openSUSE:Factory/.bitcoin.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bitcoin" Fri Aug 27 21:44:18 2021 rev:42 rq:914647 version:0.21.1 Changes: -------- --- /work/SRC/openSUSE:Factory/bitcoin/bitcoin.changes 2021-05-15 01:24:50.510887043 +0200 +++ /work/SRC/openSUSE:Factory/.bitcoin.new.1899/bitcoin.changes 2021-08-27 21:45:28.570081230 +0200 @@ -1,0 +2,8 @@ +Fri Aug 27 07:49:41 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s). Added patch(es): + * harden_bitcoind.service.patch + Modified: + * bitcoind.service + +------------------------------------------------------------------- New: ---- harden_bitcoind.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bitcoin.spec ++++++ --- /var/tmp/diff_new_pack.yddiB7/_old 2021-08-27 21:45:29.810082709 +0200 +++ /var/tmp/diff_new_pack.yddiB7/_new 2021-08-27 21:45:29.814082714 +0200 @@ -34,6 +34,7 @@ Source1: %{base}d.service Source3: %{base}d.conf Source4: %{base}.conf +Patch0: harden_bitcoind.service.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: gcc-c++ @@ -165,7 +166,7 @@ This package provides automated tests for %{name}-qt5 and %{name}d. %prep -%autosetup +%autosetup -p1 %build autoreconf -fiv ++++++ bitcoind.service ++++++ --- /var/tmp/diff_new_pack.yddiB7/_old 2021-08-27 21:45:29.906082823 +0200 +++ /var/tmp/diff_new_pack.yddiB7/_new 2021-08-27 21:45:29.906082823 +0200 @@ -4,6 +4,19 @@ After=network.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions User=bitcoin PIDFile=/run/bitcoin/bitcoind.pid ExecStart=/usr/bin/bitcoind -conf=/etc/bitcoin/bitcoin.conf -pid=/run/bitcoin/bitcoind.pid -datadir=/var/lib/bitcoin ++++++ harden_bitcoind.service.patch ++++++ Index: bitcoin-0.21.1/contrib/init/bitcoind.service =================================================================== --- bitcoin-0.21.1.orig/contrib/init/bitcoind.service +++ bitcoin-0.21.1/contrib/init/bitcoind.service @@ -69,6 +69,16 @@ NoNewPrivileges=true # Use a new /dev namespace only populated with API pseudo devices # such as /dev/null, /dev/zero and /dev/random. PrivateDevices=true +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions # Deny the creation of writable and executable memory mappings. MemoryDenyWriteExecute=true
