Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package spotifyd for openSUSE:Factory checked in at 2021-11-27 00:51:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/spotifyd (Old) and /work/SRC/openSUSE:Factory/.spotifyd.new.1895 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "spotifyd" Sat Nov 27 00:51:35 2021 rev:4 rq:934016 version:0.3.2 Changes: -------- --- /work/SRC/openSUSE:Factory/spotifyd/spotifyd.changes 2021-11-05 22:59:08.788301526 +0100 +++ /work/SRC/openSUSE:Factory/.spotifyd.new.1895/spotifyd.changes 2021-11-27 00:52:27.582566866 +0100 @@ -1,0 +2,6 @@ +Tue Nov 23 15:19:39 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_spotifyd.service.patch + +------------------------------------------------------------------- New: ---- harden_spotifyd.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ spotifyd.spec ++++++ --- /var/tmp/diff_new_pack.lwz3FO/_old 2021-11-27 00:52:28.126564988 +0100 +++ /var/tmp/diff_new_pack.lwz3FO/_new 2021-11-27 00:52:28.130564974 +0100 @@ -25,6 +25,7 @@ URL: https://github.com/Spotifyd/spotifyd Source0: https://github.com/Spotifyd/spotifyd/archive/refs/tags/v%{version}.tar.gz#/spotifyd-%{version}.tar.gz Source1: vendor.tar.bz2 +Patch0: harden_spotifyd.service.patch BuildRequires: cargo BuildRequires: systemd-rpm-macros BuildRequires: pkgconfig(alsa) @@ -41,6 +42,7 @@ %prep %setup -q -a1 +%patch0 -p1 mkdir .cargo cat >.cargo/config <<EOF ++++++ harden_spotifyd.service.patch ++++++ Index: spotifyd-0.3.2/contrib/spotifyd.service =================================================================== --- spotifyd-0.3.2.orig/contrib/spotifyd.service +++ spotifyd-0.3.2/contrib/spotifyd.service @@ -7,6 +7,19 @@ Wants=network-online.target After=network-online.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=read-only +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions ExecStart=/usr/bin/spotifyd --no-daemon Restart=always RestartSec=12