commit wireguard-tools for openSUSE:Factory

Source-Sync Mon, 10 Jan 2022 14:53:19 -0800

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package wireguard-tools for openSUSE:Factory 
checked in at 2022-01-10 23:53:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/wireguard-tools (Old)
 and      /work/SRC/openSUSE:Factory/.wireguard-tools.new.1892 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "wireguard-tools"

Mon Jan 10 23:53:01 2022 rev:13 rq:945229 version:1.0.20210914

Changes:
--------
--- /work/SRC/openSUSE:Factory/wireguard-tools/wireguard-tools.changes  
2021-10-04 18:42:17.418284162 +0200
+++ 
/work/SRC/openSUSE:Factory/.wireguard-tools.new.1892/wireguard-tools.changes    
    2022-01-10 23:53:07.708779364 +0100
@@ -1,0 +2,6 @@
+Wed Jan  5 10:43:06 UTC 2022 - Johannes Segitz <jseg...@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_wg-quick@.service.patch
+
+-------------------------------------------------------------------

New:
----
  harden_wg-quick@.service.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ wireguard-tools.spec ++++++
--- /var/tmp/diff_new_pack.0Mtr6G/_old  2022-01-10 23:53:08.736780265 +0100
+++ /var/tmp/diff_new_pack.0Mtr6G/_new  2022-01-10 23:53:08.740780268 +0100
@@ -27,6 +27,7 @@
 Source:         
https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-%{version}.tar.xz
 Source1:        
https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-%{version}.tar.asc
 Source99:       
https://www.zx2c4.com/keys/AB9942E6D4A4CFC3412620A749FC7012A5DE03AE.asc#/WireGuard.keyring
+Patch0:        harden_wg-quick@.service.patch
 BuildRequires:  bash-completion
 BuildRequires:  pkgconfig
 %systemd_requires
@@ -49,6 +50,7 @@
 %setup -q -n wireguard-tools-%{version}
 ## HACK: Fixing wg-quick's DNS= directive with a hatchet
 contrib/dns-hatchet/apply.sh
+%patch0 -p1
 
 %build
 export CFLAGS="%{optflags}"


++++++ harden_wg-quick@.service.patch ++++++
Index: wireguard-tools-1.0.20210914/src/systemd/wg-quick@.service
===================================================================
--- wireguard-tools-1.0.20210914.orig/src/systemd/wg-quick@.service
+++ wireguard-tools-1.0.20210914/src/systemd/wg-quick@.service
@@ -11,6 +11,16 @@ Documentation=https://git.zx2c4.com/wire
 Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=false
+ProtectHostname=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/bin/wg-quick up %i

commit wireguard-tools for openSUSE:Factory

Reply via email to