Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package haveged for openSUSE:Factory checked in at 2021-11-20 02:38:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/haveged (Old) and /work/SRC/openSUSE:Factory/.haveged.new.1895 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haveged" Sat Nov 20 02:38:22 2021 rev:60 rq:930759 version:1.9.14 Changes: -------- --- /work/SRC/openSUSE:Factory/haveged/haveged.changes 2021-11-08 17:24:11.748693758 +0100 +++ /work/SRC/openSUSE:Factory/.haveged.new.1895/haveged.changes 2021-11-20 02:39:00.624805848 +0100 @@ -15,0 +16,9 @@ +Tue Sep 21 12:15:06 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_haveged.service.patch + Modified: + * haveged-switch-root.service + * haveged.service + +------------------------------------------------------------------- New: ---- harden_haveged.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ haveged.spec ++++++ --- /var/tmp/diff_new_pack.KipXnk/_old 2021-11-20 02:39:01.100804277 +0100 +++ /var/tmp/diff_new_pack.KipXnk/_new 2021-11-20 02:39:01.104804264 +0100 @@ -32,6 +32,7 @@ Patch0: ppc64le.patch # PATCH-FIX-UPSTREAM: don't write to syslog at startup to avoid deadlocks psim...@suse.com bnc#959237 Patch2: haveged-no-syslog.patch +Patch3: harden_haveged.service.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool ++++++ harden_haveged.service.patch ++++++ Index: haveged-1.9.14/contrib/Fedora/haveged.service =================================================================== --- haveged-1.9.14.orig/contrib/Fedora/haveged.service +++ haveged-1.9.14/contrib/Fedora/haveged.service @@ -24,6 +24,12 @@ ProtectKernelLogs=true ProtectKernelModules=true RestrictNamespaces=true RestrictRealtime=true +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectClock=true +ProtectKernelTunables=true +ProtectControlGroups=true +# end of automatic additions LockPersonality=true MemoryDenyWriteExecute=true ++++++ haveged-switch-root.service ++++++ --- /var/tmp/diff_new_pack.KipXnk/_old 2021-11-20 02:39:01.160804079 +0100 +++ /var/tmp/diff_new_pack.KipXnk/_new 2021-11-20 02:39:01.160804079 +0100 @@ -8,6 +8,19 @@ [Service] ExecStart=-/usr/sbin/haveged -c root=/sysroot PrivateNetwork=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=oneshot StandardInput=null StandardOutput=null ++++++ haveged.service ++++++ --- /var/tmp/diff_new_pack.KipXnk/_old 2021-11-20 02:39:01.180804013 +0100 +++ /var/tmp/diff_new_pack.KipXnk/_new 2021-11-20 02:39:01.180804013 +0100 @@ -12,6 +12,19 @@ ExecStart=/usr/sbin/haveged -w 1024 -v 0 -F CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_CHROOT PrivateNetwork=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Restart=always SuccessExitStatus=137 143
