Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package avahi for openSUSE:Factory checked
in at 2022-12-07 17:33:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/avahi (Old)
and /work/SRC/openSUSE:Factory/.avahi.new.1835 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "avahi"
Wed Dec 7 17:33:45 2022 rev:154 rq:1040260 version:0.8
Changes:
--------
--- /work/SRC/openSUSE:Factory/avahi/avahi.changes 2022-09-07
11:05:26.816316591 +0200
+++ /work/SRC/openSUSE:Factory/.avahi.new.1835/avahi.changes 2022-12-07
17:34:16.440312115 +0100
@@ -1,0 +2,7 @@
+Mon Dec 5 12:35:55 UTC 2022 - Johannes Segitz <jseg...@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+ * harden_avahi-daemon.service.patch
+ * harden_avahi-dnsconfd.service.patch
+
+-------------------------------------------------------------------
New:
----
harden_avahi-daemon.service.patch
harden_avahi-dnsconfd.service.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ avahi.spec ++++++
--- /var/tmp/diff_new_pack.VjL0yL/_old 2022-12-07 17:34:17.308316867 +0100
+++ /var/tmp/diff_new_pack.VjL0yL/_new 2022-12-07 17:34:17.316316911 +0100
@@ -105,6 +105,8 @@
Patch26: 0007-Ship-avahi-discover-1-bssh-1-and-bvnc-1-also-for-GTK.patch
# PATCH-FIX-UPSTREAM 0009-fix-bytestring-decoding-for-proper-display.patch
mgo...@suse.com -- fix bytestring decoding for proper display.
Patch27: 0009-fix-bytestring-decoding-for-proper-display.patch
+Patch28: harden_avahi-daemon.service.patch
+Patch29: harden_avahi-dnsconfd.service.patch
BuildRequires: fdupes
BuildRequires: gcc-c++
BuildRequires: gdbm-devel
@@ -416,8 +418,9 @@
-# This is the avahi-discover command, only provided for the primary python3
flavor
+
+# This is the avahi-discover command, only provided for the primary python3
flavor
%package -n python3-avahi-gtk
Summary: A set of Avahi utilities written in Python Using python-gtk
Group: Development/Languages/Python
@@ -512,6 +515,8 @@
%patch25 -p1
%patch26 -p1
%patch27 -p1
+%patch28 -p1
+%patch29 -p1
%if !%{build_core}
# Replace all .la references from local .la files to installed versions
++++++ harden_avahi-daemon.service.patch ++++++
Index: avahi-0.8/avahi-daemon/avahi-daemon.service.in
===================================================================
--- avahi-0.8.orig/avahi-daemon/avahi-daemon.service.in
+++ avahi-0.8/avahi-daemon/avahi-daemon.service.in
@@ -20,6 +20,19 @@ Description=Avahi mDNS/DNS-SD Stack
Requires=avahi-daemon.socket
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=dbus
BusName=org.freedesktop.Avahi
ExecStart=@sbindir@/avahi-daemon -s
++++++ harden_avahi-dnsconfd.service.patch ++++++
Index: avahi-0.8/avahi-dnsconfd/avahi-dnsconfd.service.in
===================================================================
--- avahi-0.8.orig/avahi-dnsconfd/avahi-dnsconfd.service.in
+++ avahi-0.8/avahi-dnsconfd/avahi-dnsconfd.service.in
@@ -21,6 +21,19 @@ Requires=avahi-daemon.socket avahi-daemo
After=avahi-daemon.socket
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=simple
ExecStart=@sbindir@/avahi-dnsconfd -s
