Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package sbd for openSUSE:Factory checked in
at 2021-12-16 02:00:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sbd (Old)
and /work/SRC/openSUSE:Factory/.sbd.new.2520 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sbd"
Thu Dec 16 02:00:51 2021 rev:44 rq:940718 version:1.5.1+20211210.92ff8d8
Changes:
--------
--- /work/SRC/openSUSE:Factory/sbd/sbd.changes 2021-11-17 01:15:33.178191529
+0100
+++ /work/SRC/openSUSE:Factory/.sbd.new.2520/sbd.changes 2021-12-16
02:01:25.311650665 +0100
@@ -1,0 +2,18 @@
+Mon Dec 13 14:47:20 UTC 2021 - Yan Gao <y...@suse.com>
+
+- Update to version 1.5.1+20211210.92ff8d8:
+- configure: have --with-runstatedir overrule --runstatedir (bsc#1185182)
+
+-------------------------------------------------------------------
+Mon Dec 6 15:35:16 UTC 2021 - Yan Gao <y...@suse.com>
+
+- services: enable systemd sandboxing settings for releases >= 15.4
+
+-------------------------------------------------------------------
+Thu Nov 25 09:03:29 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+ * harden_sbd.service.patch
+ * harden_sbd_remote.service.patch
+
+-------------------------------------------------------------------
Old:
----
sbd-1.5.1+20211116.6bb085f.tar.xz
New:
----
harden_sbd.service.patch
harden_sbd_remote.service.patch
sbd-1.5.1+20211210.92ff8d8.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sbd.spec ++++++
--- /var/tmp/diff_new_pack.jNkaCB/_old 2021-12-16 02:01:25.875651008 +0100
+++ /var/tmp/diff_new_pack.jNkaCB/_new 2021-12-16 02:01:25.879651010 +0100
@@ -47,7 +47,7 @@
%global sync_resource_startup_sysconfig ""
Name: sbd
-Version: 1.5.1+20211116.6bb085f
+Version: 1.5.1+20211210.92ff8d8
Release: 0
Summary: Storage-based death
License: GPL-2.0-or-later
@@ -56,6 +56,8 @@
Source: %{name}-%{version}.tar.xz
Patch1: bsc#1140065-Fix-sbd-cluster-exit-if-cmap-is-disconnected.patch
Patch2:
bsc#1180966-0001-Log-sbd-inquisitor-downgrade-the-warning-about-SBD_S.patch
+Patch3: harden_sbd.service.patch
+Patch4: harden_sbd_remote.service.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: e2fsprogs-devel
@@ -99,6 +101,12 @@
--with-runstatedir=%{_rundir}
make %{?_smp_mflags}
+# Avoid "Unknown key name 'XXX' in section 'Service', ignoring." warnings from
systemd on older releases
+%if 0%{?sle_version} < 150400
+ sed -r -i '/^(Protect(Home|Hostname|KernelLogs|KernelModules|System))=/d' \
+ src/sbd.service src/sbd_remote.service
+%endif
+
%install
%make_install LIBDIR=%{_libdir}
install -D -m 0755 src/sbd.sh %{buildroot}%{_datadir}/sbd/sbd.sh
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.jNkaCB/_old 2021-12-16 02:01:25.927651039 +0100
+++ /var/tmp/diff_new_pack.jNkaCB/_new 2021-12-16 02:01:25.939651046 +0100
@@ -1,7 +1,7 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/ClusterLabs/sbd.git</param>
- <param
name="changesrevision">6bb085f5704dd4c3841c79504f2aed2228e6d76a</param>
+ <param
name="changesrevision">d9af069397d09c2695f14d1933084a9c83f8c178</param>
</service>
</servicedata>
(No newline at EOF)
++++++ harden_sbd.service.patch ++++++
Index: sbd-1.5.1+20211116.6bb085f/src/sbd.service.in
===================================================================
--- sbd-1.5.1+20211116.6bb085f.orig/src/sbd.service.in
+++ sbd-1.5.1+20211116.6bb085f/src/sbd.service.in
@@ -9,6 +9,14 @@ RefuseManualStop=true
RefuseManualStart=true
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+# end of automatic additions
Type=forking
PIDFile=@runstatedir@/sbd.pid
EnvironmentFile=-@CONFIGDIR@/sbd
++++++ harden_sbd_remote.service.patch ++++++
Index: sbd-1.5.1+20211116.6bb085f/src/sbd_remote.service.in
===================================================================
--- sbd-1.5.1+20211116.6bb085f.orig/src/sbd_remote.service.in
+++ sbd-1.5.1+20211116.6bb085f/src/sbd_remote.service.in
@@ -7,6 +7,14 @@ RefuseManualStop=true
RefuseManualStart=true
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+# end of automatic additions
Type=forking
PIDFile=@runstatedir@/sbd.pid
EnvironmentFile=-@CONFIGDIR@/sbd
++++++ sbd-1.5.1+20211116.6bb085f.tar.xz -> sbd-1.5.1+20211210.92ff8d8.tar.xz
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sbd-1.5.1+20211116.6bb085f/configure.ac
new/sbd-1.5.1+20211210.92ff8d8/configure.ac
--- old/sbd-1.5.1+20211116.6bb085f/configure.ac 2021-11-16 07:29:58.000000000
+0100
+++ new/sbd-1.5.1+20211210.92ff8d8/configure.ac 2021-12-10 16:45:02.000000000
+0100
@@ -198,7 +198,7 @@
sbd_runstatedir=""
AC_ARG_WITH([runstatedir],
[AS_HELP_STRING([--with-runstatedir=DIR],
- [modifiable per-process data @<:@LOCALSTATEDIR/run@:>@ (ignored if
--runstatedir is available)])],
+ [modifiable per-process data @<:@LOCALSTATEDIR/run@:>@])],
[ sbd_runstatedir="$withval" ]
)
@@ -343,7 +343,13 @@
expand_path_option infodir
expand_path_option mandir
-AS_IF([test x"${runstatedir}" = x""], [runstatedir="${sbd_runstatedir}"])
+AS_IF([test x"${runstatedir}" = x""], [runstatedir="${sbd_runstatedir}"],
+ [test x"${sbd_runstatedir}" != x""], [
+ echo "--with-runstatedir=${sbd_runstatedir} is taking precedence"
+ echo "over runstatedir=${runstatedir}."
+ echo "Consider using --runstatedir=${sbd_runstatedir} directly or let it"
+ echo "go with the default."
+ runstatedir="${sbd_runstatedir}"])
expand_path_option runstatedir "${localstatedir}/run"
AC_SUBST(runstatedir)
