Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fwupd for openSUSE:Factory checked in at 2021-10-20 20:23:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fwupd (Old) and /work/SRC/openSUSE:Factory/.fwupd.new.1890 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fwupd" Wed Oct 20 20:23:45 2021 rev:44 rq:925953 version:1.6.2 Changes: -------- --- /work/SRC/openSUSE:Factory/fwupd/fwupd.changes 2021-10-12 21:47:56.251750111 +0200 +++ /work/SRC/openSUSE:Factory/.fwupd.new.1890/fwupd.changes 2021-10-20 20:24:32.585387660 +0200 @@ -1,0 +2,7 @@ +Fri Oct 15 07:30:24 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_fwupd-offline-update.service.patch + * harden_fwupd-refresh.service.patch + +------------------------------------------------------------------- New: ---- harden_fwupd-offline-update.service.patch harden_fwupd-refresh.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fwupd.spec ++++++ --- /var/tmp/diff_new_pack.rcn1z7/_old 2021-10-20 20:24:33.153388011 +0200 +++ /var/tmp/diff_new_pack.rcn1z7/_new 2021-10-20 20:24:33.153388011 +0200 @@ -51,6 +51,8 @@ Patch1: fwupd-bsc1130056-change-shim-path.patch # PATCH-FIX-OPENSUSE fwupd-jscSLE-11766-close-efidir-leap-gap.patch jsc#SLE-11766 [email protected] -- Set SLE and openSUSE esp os dir at runtime Patch2: fwupd-jscSLE-11766-close-efidir-leap-gap.patch +Patch3: harden_fwupd-offline-update.service.patch +Patch4: harden_fwupd-refresh.service.patch BuildRequires: dejavu-fonts %if %{with fish_support} ++++++ harden_fwupd-offline-update.service.patch ++++++ Index: fwupd-1.6.2/data/fwupd-offline-update.service.in =================================================================== --- fwupd-1.6.2.orig/data/fwupd-offline-update.service.in +++ fwupd-1.6.2/data/fwupd-offline-update.service.in @@ -8,6 +8,16 @@ After=sysinit.target system-update-pre.t Before=shutdown.target system-update.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=oneshot ExecStart=@libexecdir@/fwupd/fwupdoffline FailureAction=reboot ++++++ harden_fwupd-refresh.service.patch ++++++ Index: fwupd-1.6.2/data/motd/fwupd-refresh.service.in =================================================================== --- fwupd-1.6.2.orig/data/motd/fwupd-refresh.service.in +++ fwupd-1.6.2/data/motd/fwupd-refresh.service.in @@ -13,5 +13,13 @@ SystemCallFilter=~@mount ProtectKernelModules=yes ProtectControlGroups=yes RestrictRealtime=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelLogs=true +# end of automatic additions SuccessExitStatus=2 ExecStart=@bindir@/fwupdmgr refresh
