Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package colord for openSUSE:Factory checked in at 2021-12-16 21:18:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/colord (Old) and /work/SRC/openSUSE:Factory/.colord.new.2520 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "colord" Thu Dec 16 21:18:45 2021 rev:85 rq:940430 version:1.4.5 Changes: -------- --- /work/SRC/openSUSE:Factory/colord/colord.changes 2021-12-12 00:56:26.290536119 +0100 +++ /work/SRC/openSUSE:Factory/.colord.new.2520/colord.changes 2021-12-16 21:18:59.982514102 +0100 @@ -1,0 +2,6 @@ +Mon Dec 13 16:03:21 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_colord.service.patch + +------------------------------------------------------------------- New: ---- harden_colord.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ colord.spec ++++++ --- /var/tmp/diff_new_pack.TwVwK2/_old 2021-12-16 21:19:03.006515252 +0100 +++ /var/tmp/diff_new_pack.TwVwK2/_new 2021-12-16 21:19:03.014515256 +0100 @@ -28,6 +28,7 @@ Source0: https://www.freedesktop.org/software/colord/releases/%{name}-%{version}.tar.xz Source1: https://www.freedesktop.org/software/colord/releases/%{name}-%{version}.tar.xz.asc Source2: %{name}.keyring +Patch0: harden_colord.service.patch # Apparmor profile Source3: usr.lib.colord Source4: colord.sysusers ++++++ harden_colord.service.patch ++++++ Index: colord-1.4.5/data/colord.service.in =================================================================== --- colord-1.4.5.orig/data/colord.service.in +++ colord-1.4.5/data/colord.service.in @@ -10,3 +10,14 @@ User=@daemon_user@ # network namespacing is on. # PrivateNetwork=yes PrivateTmp=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions
