Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tinc for openSUSE:Factory checked in at 2023-03-07 16:51:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tinc (Old) and /work/SRC/openSUSE:Factory/.tinc.new.31432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tinc" Tue Mar 7 16:51:00 2023 rev:8 rq:1069916 version:1.0.36 Changes: -------- --- /work/SRC/openSUSE:Factory/tinc/tinc.changes 2023-01-06 17:06:51.100618059 +0100 +++ /work/SRC/openSUSE:Factory/.tinc.new.31432/tinc.changes 2023-03-07 16:51:24.137922099 +0100 @@ -1,0 +2,8 @@ +Fri Jan 13 13:10:17 UTC 2023 - Johannes Segitz <jseg...@suse.com> + +- Removed PrivateDevices setting and allow access to /dev/net/tun for the + service. Updated harden_tinc@.service.patch (also harden_tinc.service.patch + to keep it in sync, even thought nothing really happens in there) + (bsc#1181400) + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tinc.spec ++++++ --- /var/tmp/diff_new_pack.r41F9P/_old 2023-03-07 16:51:24.777925473 +0100 +++ /var/tmp/diff_new_pack.r41F9P/_new 2023-03-07 16:51:24.785925515 +0100 @@ -1,7 +1,7 @@ # # spec file for package tinc # -# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -35,7 +35,7 @@ BuildRequires: pkgconfig(zlib) Requires(post): info -Requires(preun): info +Requires(preun):info %systemd_ordering %description ++++++ harden_tinc.service.patch ++++++ --- /var/tmp/diff_new_pack.r41F9P/_old 2023-03-07 16:51:24.817925684 +0100 +++ /var/tmp/diff_new_pack.r41F9P/_new 2023-03-07 16:51:24.821925705 +0100 @@ -2,7 +2,7 @@ =================================================================== --- tinc-1.0.36.orig/systemd/tinc.service.in +++ tinc-1.0.36/systemd/tinc.service.in -@@ -10,6 +10,19 @@ After=network.target +@@ -10,6 +10,20 @@ After=network.target Wants=network.target [Service] @@ -10,7 +10,6 @@ +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true -+PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true @@ -19,6 +18,8 @@ +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions ++DeviceAllow=/dev/net/tun rwm ++DevicePolicy=closed Type=oneshot RemainAfterExit=yes ExecStart=/bin/true ++++++ harden_tinc@.service.patch ++++++ --- /var/tmp/diff_new_pack.r41F9P/_old 2023-03-07 16:51:24.837925790 +0100 +++ /var/tmp/diff_new_pack.r41F9P/_new 2023-03-07 16:51:24.837925790 +0100 @@ -2,7 +2,7 @@ =================================================================== --- tinc-1.0.36.orig/systemd/t...@.service.in +++ tinc-1.0.36/systemd/t...@.service.in -@@ -7,6 +7,19 @@ PartOf=tinc.service +@@ -7,6 +7,20 @@ PartOf=tinc.service ReloadPropagatedFrom=tinc.service [Service] @@ -10,7 +10,6 @@ +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true -+PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true @@ -19,6 +18,8 @@ +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions ++DeviceAllow=/dev/net/tun rwm ++DevicePolicy=closed Type=simple WorkingDirectory=@sysconfdir@/tinc/%i ExecStart=@sbindir@/tincd -n %i -D
