Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package coturn for openSUSE:Factory checked in at 2021-08-31 19:55:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/coturn (Old) and /work/SRC/openSUSE:Factory/.coturn.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "coturn" Tue Aug 31 19:55:30 2021 rev:8 rq:915145 version:4.5.2 Changes: -------- --- /work/SRC/openSUSE:Factory/coturn/coturn.changes 2021-01-11 17:17:59.864764853 +0100 +++ /work/SRC/openSUSE:Factory/.coturn.new.1899/coturn.changes 2021-08-31 19:56:25.158016607 +0200 @@ -1,0 +2,9 @@ +Mon Aug 30 11:55:53 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s). Added patch(es): + * harden_coturn.service.patch + Modified: + * coturn.service + * [email protected] + +------------------------------------------------------------------- New: ---- harden_coturn.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ coturn.spec ++++++ --- /var/tmp/diff_new_pack.RYwl1i/_old 2021-08-31 19:56:26.034017704 +0200 +++ /var/tmp/diff_new_pack.RYwl1i/_new 2021-08-31 19:56:26.034017704 +0200 @@ -40,6 +40,7 @@ Source7: README.SUSE Source8: %{name}-apparmor-usr.bin.turnserver Source9: %{name}@.service +Patch0: harden_coturn.service.patch BuildRequires: fdupes BuildRequires: firewall-macros BuildRequires: libevent-devel >= 2.0.0 ++++++ coturn.service ++++++ --- /var/tmp/diff_new_pack.RYwl1i/_old 2021-08-31 19:56:26.118017809 +0200 +++ /var/tmp/diff_new_pack.RYwl1i/_new 2021-08-31 19:56:26.118017809 +0200 @@ -44,6 +44,10 @@ RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictNamespaces=yes RestrictSUIDSGID=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +RestrictRealtime=true +# end of automatic additions SystemCallArchitectures=native SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete ++++++ [email protected] ++++++ --- /var/tmp/diff_new_pack.RYwl1i/_old 2021-08-31 19:56:26.162017864 +0200 +++ /var/tmp/diff_new_pack.RYwl1i/_new 2021-08-31 19:56:26.162017864 +0200 @@ -44,6 +44,10 @@ RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictNamespaces=yes RestrictSUIDSGID=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +RestrictRealtime=true +# end of automatic additions SystemCallArchitectures=native SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete ++++++ harden_coturn.service.patch ++++++ Index: coturn-4.5.2/examples/etc/coturn.service =================================================================== --- coturn-4.5.2.orig/examples/etc/coturn.service +++ coturn-4.5.2/examples/etc/coturn.service @@ -15,6 +15,18 @@ ExecStart=/usr/bin/turnserver -c /etc/tu Restart=on-failure InaccessibleDirectories=/home PrivateTmp=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions [Install] WantedBy=multi-user.target
