Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package nut for openSUSE:Factory checked in at 2021-10-26 20:14:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nut (Old) and /work/SRC/openSUSE:Factory/.nut.new.1890 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nut" Tue Oct 26 20:14:23 2021 rev:70 rq:927573 version:2.7.4 Changes: -------- --- /work/SRC/openSUSE:Factory/nut/nut.changes 2021-06-28 15:34:21.307239386 +0200 +++ /work/SRC/openSUSE:Factory/.nut.new.1890/nut.changes 2021-10-26 20:15:11.494057279 +0200 @@ -1,0 +2,8 @@ +Fri Oct 15 07:26:53 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_nut-driver.service.patch + * harden_nut-monitor.service.patch + * harden_nut-server.service.patch + +------------------------------------------------------------------- New: ---- harden_nut-driver.service.patch harden_nut-monitor.service.patch harden_nut-server.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nut.spec ++++++ --- /var/tmp/diff_new_pack.UTpWYx/_old 2021-10-26 20:15:12.202057654 +0200 +++ /var/tmp/diff_new_pack.UTpWYx/_new 2021-10-26 20:15:12.202057654 +0200 @@ -59,6 +59,9 @@ Patch12: nut-upssched.patch Patch13: reproducible.patch Patch14: nutscanner-ftbfs.patch +Patch15: harden_nut-driver.service.patch +Patch16: harden_nut-monitor.service.patch +Patch17: harden_nut-server.service.patch BuildRequires: apache-rpm-macros BuildRequires: asciidoc BuildRequires: avahi-devel @@ -178,6 +181,9 @@ %patch13 -p1 %patch14 -p1 sed -i s/@now@/`date -r ChangeLog +%%Y-%%m-%%d`/g docs/docinfo.xml.in +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 sed -i s:%{_prefix}/local/ups/bin:/bin: conf/upssched.conf.sample.in ++++++ harden_nut-driver.service.patch ++++++ Index: nut-2.7.4/scripts/systemd/nut-driver.service.in =================================================================== --- nut-2.7.4.orig/scripts/systemd/nut-driver.service.in +++ nut-2.7.4/scripts/systemd/nut-driver.service.in @@ -4,6 +4,17 @@ After=local-fs.target network.target StopWhenUnneeded=yes [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions ExecStart=@SBINDIR@/upsdrvctl start ExecStop=@SBINDIR@/upsdrvctl stop Type=forking ++++++ harden_nut-monitor.service.patch ++++++ Index: nut-2.7.4/scripts/systemd/nut-monitor.service.in =================================================================== --- nut-2.7.4.orig/scripts/systemd/nut-monitor.service.in +++ nut-2.7.4/scripts/systemd/nut-monitor.service.in @@ -3,6 +3,17 @@ Description=Network UPS Tools - power de After=local-fs.target network.target nut-server.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions ExecStart=@SBINDIR@/upsmon PIDFile=@PIDPATH@/upsmon.pid Type=forking ++++++ harden_nut-server.service.patch ++++++ Index: nut-2.7.4/scripts/systemd/nut-server.service.in =================================================================== --- nut-2.7.4.orig/scripts/systemd/nut-server.service.in +++ nut-2.7.4/scripts/systemd/nut-server.service.in @@ -8,6 +8,17 @@ Wants=nut-driver.service Before=nut-monitor.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions ExecStart=@SBINDIR@/upsd Type=forking
