Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sanlock for openSUSE:Factory checked in at 2021-12-01 20:46:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sanlock (Old) and /work/SRC/openSUSE:Factory/.sanlock.new.31177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sanlock" Wed Dec 1 20:46:16 2021 rev:28 rq:934637 version:3.8.4 Changes: -------- --- /work/SRC/openSUSE:Factory/sanlock/sanlock.changes 2021-06-14 23:10:03.720639563 +0200 +++ /work/SRC/openSUSE:Factory/.sanlock.new.31177/sanlock.changes 2021-12-02 02:26:27.376357852 +0100 @@ -1,0 +2,7 @@ +Tue Nov 16 14:08:25 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_fence_sanlockd.service.patch + * harden_sanlk-resetd.service.patch + +------------------------------------------------------------------- New: ---- harden_fence_sanlockd.service.patch harden_sanlk-resetd.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sanlock.spec ++++++ --- /var/tmp/diff_new_pack.jWih5S/_old 2021-12-02 02:26:27.844356237 +0100 +++ /var/tmp/diff_new_pack.jWih5S/_new 2021-12-02 02:26:27.848356223 +0100 @@ -1,5 +1,5 @@ # -# spec file +# spec file for package sanlock # # Copyright (c) 2021 SUSE LLC # @@ -62,6 +62,8 @@ Patch101: sanlock-python-prefix.patch Patch102: suse-systemd.patch Patch103: suse-no-date-time.patch +Patch104: harden_fence_sanlockd.service.patch +Patch105: harden_sanlk-resetd.service.patch BuildRequires: %{python_module devel} BuildRequires: libaio-devel BuildRequires: pkgconfig @@ -141,6 +143,8 @@ %patch101 %patch102 -p1 %patch103 -p1 +%patch104 -p1 +%patch105 -p1 %build %if ! %{with python} ++++++ harden_fence_sanlockd.service.patch ++++++ Index: sanlock-3.8.4/init.d/fence_sanlockd.service =================================================================== --- sanlock-3.8.4.orig/init.d/fence_sanlockd.service +++ sanlock-3.8.4/init.d/fence_sanlockd.service @@ -4,6 +4,17 @@ After=syslog.target wdmd.service sanlock Before=corosync.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking ExecStart=/usr/lib/systemd/systemd-fence_sanlockd start ExecStop=/usr/lib/systemd/systemd-fence_sanlockd stop ++++++ harden_sanlk-resetd.service.patch ++++++ Index: sanlock-3.8.4/init.d/sanlk-resetd.service =================================================================== --- sanlock-3.8.4.orig/init.d/sanlk-resetd.service +++ sanlock-3.8.4/init.d/sanlk-resetd.service @@ -4,6 +4,17 @@ After=wdmd.service sanlock.service Requires=wdmd.service sanlock.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking ExecStart=/usr/sbin/sanlk-resetd