Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sysstat for openSUSE:Factory checked in at 2021-12-01 20:46:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sysstat (Old) and /work/SRC/openSUSE:Factory/.sysstat.new.31177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sysstat" Wed Dec 1 20:46:58 2021 rev:97 rq:934592 version:12.4.3 Changes: -------- --- /work/SRC/openSUSE:Factory/sysstat/sysstat.changes 2021-10-18 21:58:16.229923354 +0200 +++ /work/SRC/openSUSE:Factory/.sysstat.new.31177/sysstat.changes 2021-12-02 02:27:23.016165856 +0100 @@ -1,0 +2,6 @@ +Wed Nov 24 12:33:59 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_sysstat.service.patch + +------------------------------------------------------------------- New: ---- harden_sysstat.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sysstat.spec ++++++ --- /var/tmp/diff_new_pack.d88lZ3/_old 2021-12-02 02:27:23.476164269 +0100 +++ /var/tmp/diff_new_pack.d88lZ3/_new 2021-12-02 02:27:23.476164269 +0100 @@ -33,6 +33,7 @@ Patch2: sysstat-8.0.4-pagesize.diff # PATCH-FIX-OPENSUSE bsc#1151453 Patch3: sysstat-service.patch +Patch4: harden_sysstat.service.patch BuildRequires: findutils BuildRequires: gettext-runtime BuildRequires: pkgconfig @@ -75,6 +76,7 @@ cp %{SOURCE1} . # remove date and time from objects find ./ -name \*.c -exec sed -i -e 's: " compiled " __DATE__ " " __TIME__::g' {} \; +%patch4 -p1 %build export conf_dir="%{_sysconfdir}/sysstat" ++++++ harden_sysstat.service.patch ++++++ Index: sysstat-12.4.3/sysstat.service.in =================================================================== --- sysstat-12.4.3.orig/sysstat.service.in +++ sysstat-12.4.3/sysstat.service.in @@ -10,6 +10,17 @@ Description=Resets System Activity Logs After=remote-fs.target local-fs.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=oneshot RemainAfterExit=yes User=@CRON_OWNER@