Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package sanlock for openSUSE:Factory checked
in at 2021-12-01 20:46:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sanlock (Old)
and /work/SRC/openSUSE:Factory/.sanlock.new.31177 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sanlock"
Wed Dec 1 20:46:16 2021 rev:28 rq:934637 version:3.8.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/sanlock/sanlock.changes 2021-06-14
23:10:03.720639563 +0200
+++ /work/SRC/openSUSE:Factory/.sanlock.new.31177/sanlock.changes
2021-12-02 02:26:27.376357852 +0100
@@ -1,0 +2,7 @@
+Tue Nov 16 14:08:25 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+ * harden_fence_sanlockd.service.patch
+ * harden_sanlk-resetd.service.patch
+
+-------------------------------------------------------------------
New:
----
harden_fence_sanlockd.service.patch
harden_sanlk-resetd.service.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sanlock.spec ++++++
--- /var/tmp/diff_new_pack.jWih5S/_old 2021-12-02 02:26:27.844356237 +0100
+++ /var/tmp/diff_new_pack.jWih5S/_new 2021-12-02 02:26:27.848356223 +0100
@@ -1,5 +1,5 @@
#
-# spec file
+# spec file for package sanlock
#
# Copyright (c) 2021 SUSE LLC
#
@@ -62,6 +62,8 @@
Patch101: sanlock-python-prefix.patch
Patch102: suse-systemd.patch
Patch103: suse-no-date-time.patch
+Patch104: harden_fence_sanlockd.service.patch
+Patch105: harden_sanlk-resetd.service.patch
BuildRequires: %{python_module devel}
BuildRequires: libaio-devel
BuildRequires: pkgconfig
@@ -141,6 +143,8 @@
%patch101
%patch102 -p1
%patch103 -p1
+%patch104 -p1
+%patch105 -p1
%build
%if ! %{with python}
++++++ harden_fence_sanlockd.service.patch ++++++
Index: sanlock-3.8.4/init.d/fence_sanlockd.service
===================================================================
--- sanlock-3.8.4.orig/init.d/fence_sanlockd.service
+++ sanlock-3.8.4/init.d/fence_sanlockd.service
@@ -4,6 +4,17 @@ After=syslog.target wdmd.service sanlock
Before=corosync.service
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=forking
ExecStart=/usr/lib/systemd/systemd-fence_sanlockd start
ExecStop=/usr/lib/systemd/systemd-fence_sanlockd stop
++++++ harden_sanlk-resetd.service.patch ++++++
Index: sanlock-3.8.4/init.d/sanlk-resetd.service
===================================================================
--- sanlock-3.8.4.orig/init.d/sanlk-resetd.service
+++ sanlock-3.8.4/init.d/sanlk-resetd.service
@@ -4,6 +4,17 @@ After=wdmd.service sanlock.service
Requires=wdmd.service sanlock.service
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=forking
ExecStart=/usr/sbin/sanlk-resetd
