commit corosync-qdevice for openSUSE:Factory

Thu, 14 Nov 2024 10:51:19 -0800 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package corosync-qdevice for 
openSUSE:Factory checked in at 2024-11-14 16:09:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/corosync-qdevice (Old)
 and      /work/SRC/openSUSE:Factory/.corosync-qdevice.new.2017 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "corosync-qdevice"

Thu Nov 14 16:09:49 2024 rev:2 rq:1224101 version:3.0.3

Changes:
--------
--- /work/SRC/openSUSE:Factory/corosync-qdevice/corosync-qdevice.changes        
2024-06-20 16:47:39.502597753 +0200
+++ 
/work/SRC/openSUSE:Factory/.corosync-qdevice.new.2017/corosync-qdevice.changes  
    2024-11-14 16:10:48.828071048 +0100
@@ -1,0 +2,6 @@
+Wed Nov 13 08:13:57 UTC 2024 - Nicholas Yang <[email protected]>
+
+- Add a patch to harden services with systemd sandboxing:
+  * 0001-harden-services-with-systemd-sandboxing.patch
+
+-------------------------------------------------------------------

New:
----
  0001-harden-services-with-systemd-sandboxing.patch

BETA DEBUG BEGIN:
  New:- Add a patch to harden services with systemd sandboxing:
  * 0001-harden-services-with-systemd-sandboxing.patch
BETA DEBUG END:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ corosync-qdevice.spec ++++++
--- /var/tmp/diff_new_pack.WZal6c/_old  2024-11-14 16:10:50.064121297 +0100
+++ /var/tmp/diff_new_pack.WZal6c/_new  2024-11-14 16:10:50.068121460 +0100
@@ -8,16 +8,13 @@
 # upon. The license for this file, and modifications and additions to the
 # file, is the same license as for the pristine package itself (unless the
 # license for the pristine package is not an Open Source License, in which
-# case the license is the MIT license). An "Open Source License" is a
+# case the license is the MIT License). An "Open Source License" is a
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
-# Conditionals
-# Invoke "rpmbuild --without <feature>" or "rpmbuild --with <feature>"
-# to disable or enable specific features
 
 %bcond_without runautogen
 %bcond_without systemd
@@ -33,6 +30,7 @@
 License: BSD-3-Clause
 URL:     https://github.com/corosync/corosync-qdevice
 Source0: 
https://github.com/corosync/corosync-qdevice/releases/download/v%{version}%{?gittarver}/%{name}-%{version}%{?gittarver}.tar.gz
+Patch0:         0001-harden-services-with-systemd-sandboxing.patch
 
 # Runtime bits
 Requires: corosync > 2.4.6
@@ -40,8 +38,8 @@
 Requires: mozilla-nss-tools
 
 %if %{with systemd}
-BuildRequires: pkgconfig(systemd)
 BuildRequires:  systemd-devel
+BuildRequires:  pkgconfig(systemd)
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
@@ -69,11 +67,13 @@
 %endif
 
 %if %{with runautogen}
-BuildRequires: autoconf automake libtool
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libtool
 %endif
 
 %prep
-%setup -q -n %{name}-%{version}%{?gittarver}
+%autosetup -p1 -n %{name}-%{version}%{?gittarver}
 
 echo %{version} > .tarball-version
 echo %{version} > .version

++++++ 0001-harden-services-with-systemd-sandboxing.patch ++++++
>From f7b8fd41b82ef11933f2d2b0e8f54192dfbcfa18 Mon Sep 17 00:00:00 2001
From: nicholasyang <[email protected]>
Date: Wed, 13 Nov 2024 16:11:10 +0800
Subject: [PATCH] harden services with systemd sandboxing

---
 init/corosync-qdevice.service.in | 10 ++++++++++
 init/corosync-qnetd.service.in   | 13 +++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/init/corosync-qdevice.service.in b/init/corosync-qdevice.service.in
index 5ffb498..824e557 100644
--- a/init/corosync-qdevice.service.in
+++ b/init/corosync-qdevice.service.in
@@ -14,5 +14,15 @@ Restart=on-failure
 RuntimeDirectory=corosync-qdevice
 RuntimeDirectoryMode=0770
 
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+
 [Install]
 WantedBy=multi-user.target
diff --git a/init/corosync-qnetd.service.in b/init/corosync-qnetd.service.in
index a8d6a7e..64da610 100644
--- a/init/corosync-qnetd.service.in
+++ b/init/corosync-qnetd.service.in
@@ -16,5 +16,18 @@ Restart=on-abnormal
 RuntimeDirectory=corosync-qnetd
 RuntimeDirectoryMode=0770
 
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=strict
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+NoNewPrivileges=true
+
 [Install]
 WantedBy=multi-user.target
-- 
2.47.0

Reply via email to