commit pesign for openSUSE:Factory

Wed, 03 Nov 2021 09:25:33 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package pesign for openSUSE:Factory checked 
in at 2021-11-03 17:25:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pesign (Old)
 and      /work/SRC/openSUSE:Factory/.pesign.new.1890 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "pesign"

Wed Nov  3 17:25:08 2021 rev:39 rq:928124 version:113

Changes:
--------
--- /work/SRC/openSUSE:Factory/pesign/pesign.changes    2021-06-12 
20:05:34.100669385 +0200
+++ /work/SRC/openSUSE:Factory/.pesign.new.1890/pesign.changes  2021-11-03 
17:25:10.193301257 +0100
@@ -1,0 +2,6 @@
+Tue Oct 19 05:58:37 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_pesign.service.patch
+
+-------------------------------------------------------------------

New:
----
  harden_pesign.service.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ pesign.spec ++++++
--- /var/tmp/diff_new_pack.XexPFG/_old  2021-11-03 17:25:11.385301909 +0100
+++ /var/tmp/diff_new_pack.XexPFG/_new  2021-11-03 17:25:11.389301911 +0100
@@ -40,6 +40,7 @@
 Patch7:         pesign-boo1158197-fix-pesigncheck-gcc10.patch
 # PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 
g...@suse.com -- Set the rpm macro directory at build time
 Patch8:         pesign-boo1185663-set-rpmmacrodir.patch
+Patch9:         harden_pesign.service.patch
 BuildRequires:  efivar-devel
 BuildRequires:  libuuid-devel
 BuildRequires:  mozilla-nss-devel
@@ -64,6 +65,7 @@
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 %build
 make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie"

++++++ harden_pesign.service.patch ++++++
Index: pesign-113/src/pesign.service.in
===================================================================
--- pesign-113.orig/src/pesign.service.in
+++ pesign-113/src/pesign.service.in
@@ -3,6 +3,19 @@ Description=Pesign signing daemon
 
 [Service]
 PrivateTmp=true
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 PIDFile=/run/pesign.pid
 ExecStart=/usr/bin/pesign --daemonize

Reply via email to