Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2021-12-01 20:46:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new.31177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan" Wed Dec 1 20:46:40 2021 rev:79 rq:934253 version:5.9.4 Changes: -------- --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes 2021-11-27 00:50:36.974948763 +0100 +++ /work/SRC/openSUSE:Factory/.strongswan.new.31177/strongswan.changes 2021-12-02 02:27:14.768194318 +0100 @@ -1,0 +2,6 @@ +Wed Nov 24 08:25:29 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_strongswan.service.patch + +------------------------------------------------------------------- New: ---- harden_strongswan.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ strongswan.spec ++++++ --- /var/tmp/diff_new_pack.h7OKbQ/_old 2021-12-02 02:27:15.316192427 +0100 +++ /var/tmp/diff_new_pack.h7OKbQ/_new 2021-12-02 02:27:15.320192413 +0100 @@ -80,6 +80,7 @@ Patch3: %{name}_fipscheck.patch %endif Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch +Patch6: harden_strongswan.service.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel @@ -267,6 +268,7 @@ < %{_sourcedir}/fipscheck.sh.in \ > _fipscheck %endif +%patch6 -p1 %build CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter" ++++++ harden_strongswan.service.patch ++++++ Index: strongswan-5.9.3/init/systemd/strongswan.service.in =================================================================== --- strongswan-5.9.3.orig/init/systemd/strongswan.service.in +++ strongswan-5.9.3/init/systemd/strongswan.service.in @@ -3,6 +3,17 @@ Description=strongSwan IPsec IKEv1/IKEv2 After=network-online.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=notify ExecStart=@SBINDIR@/charon-systemd ExecStartPost=@SBINDIR@/swanctl --load-all --noprompt
