Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gssproxy for openSUSE:Factory checked in at 2021-09-28 19:16:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gssproxy (Old) and /work/SRC/openSUSE:Factory/.gssproxy.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gssproxy" Tue Sep 28 19:16:36 2021 rev:7 rq:921908 version:0.8.4 Changes: -------- --- /work/SRC/openSUSE:Factory/gssproxy/gssproxy.changes 2021-03-24 16:16:13.176144709 +0100 +++ /work/SRC/openSUSE:Factory/.gssproxy.new.1899/gssproxy.changes 2021-09-28 19:17:29.144251740 +0200 @@ -1,0 +2,6 @@ +Tue Sep 21 07:41:14 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_gssproxy.service.patch + +------------------------------------------------------------------- New: ---- harden_gssproxy.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gssproxy.spec ++++++ --- /var/tmp/diff_new_pack.wTfEua/_old 2021-09-28 19:17:29.540252196 +0200 +++ /var/tmp/diff_new_pack.wTfEua/_new 2021-09-28 19:17:29.544252201 +0200 @@ -24,6 +24,7 @@ Group: Productivity/Networking/System URL: https://github.com/gssapi/gssproxy Source0: https://github.com/gssapi/gssproxy/releases/download/v%{version}/gssproxy-%{version}.tar.gz +Patch0: harden_gssproxy.service.patch BuildRequires: docbook-xsl-stylesheets BuildRequires: doxygen BuildRequires: krb5-client @@ -63,6 +64,7 @@ %prep %setup -q +%patch0 -p1 %build autoreconf -fvi ++++++ harden_gssproxy.service.patch ++++++ Index: gssproxy-0.8.4/systemd/gssproxy.service.in =================================================================== --- gssproxy-0.8.4.orig/systemd/gssproxy.service.in +++ gssproxy-0.8.4/systemd/gssproxy.service.in @@ -5,6 +5,19 @@ After=syslog.target network.target Before=rpc-gssd.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache ExecStart=@sbindir@/gssproxy -D # These two should be used with traditional UNIX forking daemons
