Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cups for openSUSE:Factory checked in at 2021-11-27 00:50:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cups (Old) and /work/SRC/openSUSE:Factory/.cups.new.1895 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cups" Sat Nov 27 00:50:44 2021 rev:158 rq:933432 version:2.3.3op2 Changes: -------- --- /work/SRC/openSUSE:Factory/cups/cups.changes 2021-06-11 22:30:51.334149081 +0200 +++ /work/SRC/openSUSE:Factory/.cups.new.1895/cups.changes 2021-11-27 00:51:25.126782509 +0100 @@ -1,0 +2,6 @@ +Fri Oct 15 07:31:10 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_cups.service.patch + +------------------------------------------------------------------- New: ---- harden_cups.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cups.spec ++++++ --- /var/tmp/diff_new_pack.AZSOqB/_old 2021-11-27 00:51:26.194778821 +0100 +++ /var/tmp/diff_new_pack.AZSOqB/_new 2021-11-27 00:51:26.198778807 +0100 @@ -85,6 +85,7 @@ Patch104: cups-config-libs.patch # Patch106 Fixes web UI Kerberos authentication (bsc#1175960) Patch106: fix-negotiate-authentication-between-CGIs-and-scheduler.patch +Patch107: harden_cups.service.patch # Build Requirements: BuildRequires: dbus-1-devel BuildRequires: fdupes @@ -309,6 +310,7 @@ %patch104 -b cups-config-libs.orig # Patch106 Fixes web UI Kerberos authentication (bsc#1175960) %patch106 -p1 +%patch107 -p1 %build # Remove ".SILENT" rule for verbose build output ++++++ harden_cups.service.patch ++++++ Index: cups-2.3.3op2/scheduler/cups.service.in =================================================================== --- cups-2.3.3op2.orig/scheduler/cups.service.in +++ cups-2.3.3op2/scheduler/cups.service.in @@ -5,6 +5,17 @@ After=network.target sssd.service ypbind Requires=cups.socket [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions ExecStart=@sbindir@/cupsd -l Type=notify Restart=on-failure