Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package haveged for openSUSE:Factory checked in at 2021-11-23 22:10:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/haveged (Old) and /work/SRC/openSUSE:Factory/.haveged.new.1895 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haveged" Tue Nov 23 22:10:23 2021 rev:62 rq:932923 version:1.9.14 Changes: -------- --- /work/SRC/openSUSE:Factory/haveged/haveged.changes 2021-11-20 23:24:12.560604107 +0100 +++ /work/SRC/openSUSE:Factory/.haveged.new.1895/haveged.changes 2021-11-23 22:12:37.334470768 +0100 @@ -1,0 +2,6 @@ +Mon Nov 22 08:14:39 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Remove ProtectKernelTunables hardening, causes the service to fail + (boo#1192921) + +------------------------------------------------------------------- @@ -13,0 +20,9 @@ + +------------------------------------------------------------------- +Tue Sep 21 12:15:06 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_haveged.service.patch + Modified: + * haveged-switch-root.service + * haveged.service New: ---- harden_haveged.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ haveged.spec ++++++ --- /var/tmp/diff_new_pack.k0cxJW/_old 2021-11-23 22:12:37.866469009 +0100 +++ /var/tmp/diff_new_pack.k0cxJW/_new 2021-11-23 22:12:37.874468982 +0100 @@ -32,6 +32,7 @@ Patch0: ppc64le.patch # PATCH-FIX-UPSTREAM: don't write to syslog at startup to avoid deadlocks psim...@suse.com bnc#959237 Patch2: haveged-no-syslog.patch +Patch3: harden_haveged.service.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool ++++++ harden_haveged.service.patch ++++++ Index: haveged-1.9.14/contrib/Fedora/haveged.service =================================================================== --- haveged-1.9.14.orig/contrib/Fedora/haveged.service +++ haveged-1.9.14/contrib/Fedora/haveged.service @@ -24,6 +24,11 @@ ProtectKernelLogs=true ProtectKernelModules=true RestrictNamespaces=true RestrictRealtime=true +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectClock=true +ProtectControlGroups=true +# end of automatic additions LockPersonality=true MemoryDenyWriteExecute=true ++++++ haveged-switch-root.service ++++++ --- /var/tmp/diff_new_pack.k0cxJW/_old 2021-11-23 22:12:37.950468731 +0100 +++ /var/tmp/diff_new_pack.k0cxJW/_new 2021-11-23 22:12:37.950468731 +0100 @@ -8,6 +8,18 @@ [Service] ExecStart=-/usr/sbin/haveged -c root=/sysroot PrivateNetwork=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=oneshot StandardInput=null StandardOutput=null ++++++ haveged.service ++++++ --- /var/tmp/diff_new_pack.k0cxJW/_old 2021-11-23 22:12:37.970468665 +0100 +++ /var/tmp/diff_new_pack.k0cxJW/_new 2021-11-23 22:12:37.970468665 +0100 @@ -12,6 +12,18 @@ ExecStart=/usr/sbin/haveged -w 1024 -v 0 -F CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_CHROOT PrivateNetwork=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Restart=always SuccessExitStatus=137 143
