commit xrootd for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package xrootd for openSUSE:Factory checked 
in at 2022-01-20 00:12:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xrootd (Old)
 and      /work/SRC/openSUSE:Factory/.xrootd.new.1892 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "xrootd"

Thu Jan 20 00:12:24 2022 rev:22 rq:947399 version:4.12.8

Changes:
--------
--- /work/SRC/openSUSE:Factory/xrootd/xrootd.changes    2021-07-21 
19:07:53.283448727 +0200
+++ /work/SRC/openSUSE:Factory/.xrootd.new.1892/xrootd.changes  2022-01-20 
00:13:18.578626401 +0100
@@ -1,0 +2,9 @@
+Mon Jan 10 12:39:14 UTC 2022 - Johannes Segitz <jseg...@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_cmsd@.service.patch
+  * harden_frm_purged@.service.patch
+  * harden_frm_xfrd@.service.patch
+  * harden_xrootd@.service.patch
+
+-------------------------------------------------------------------

New:
----
  harden_cmsd@.service.patch
  harden_frm_purged@.service.patch
  harden_frm_xfrd@.service.patch
  harden_xrootd@.service.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ xrootd.spec ++++++
--- /var/tmp/diff_new_pack.D4Djzg/_old  2022-01-20 00:13:18.970626717 +0100
+++ /var/tmp/diff_new_pack.D4Djzg/_new  2022-01-20 00:13:18.974626721 +0100
@@ -36,6 +36,10 @@
 URL:            http://xrootd.org/
 Source0:        
https://github.com/xrootd/xrootd/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source100:      xrootd-rpmlintrc
+Patch0:        harden_cmsd@.service.patch
+Patch1:        harden_frm_purged@.service.patch
+Patch2:        harden_frm_xfrd@.service.patch
+Patch3:        harden_xrootd@.service.patch
 BuildRequires:  cmake >= 2.8
 BuildRequires:  doxygen
 BuildRequires:  fdupes

++++++ harden_cmsd@.service.patch ++++++
Index: xrootd-4.12.8/packaging/common/cmsd@.service
===================================================================
--- xrootd-4.12.8.orig/packaging/common/cmsd@.service
+++ xrootd-4.12.8/packaging/common/cmsd@.service
@@ -6,6 +6,17 @@ Requires=network-online.target
 After=network-online.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 ExecStart=/usr/bin/cmsd -l /var/log/xrootd/cmsd.log -c 
/etc/xrootd/xrootd-%i.cfg -k fifo -s /var/run/xrootd/cmsd-%i.pid -n %i
 User=xrootd
 Group=xrootd

++++++ harden_frm_purged@.service.patch ++++++
Index: xrootd-4.12.8/packaging/common/frm_purged@.service
===================================================================
--- xrootd-4.12.8.orig/packaging/common/frm_purged@.service
+++ xrootd-4.12.8/packaging/common/frm_purged@.service
@@ -6,6 +6,17 @@ Requires=network-online.target
 After=network-online.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 ExecStart=/usr/bin/frm_purged -l /var/log/xrootd/frm_purged.log -c 
/etc/xrootd/xrootd-%i.cfg -k fifo -s /var/run/xrootd/frm_purged-%i.pid -n %i
 User=xrootd
 Group=xrootd

++++++ harden_frm_xfrd@.service.patch ++++++
Index: xrootd-4.12.8/packaging/common/frm_xfrd@.service
===================================================================
--- xrootd-4.12.8.orig/packaging/common/frm_xfrd@.service
+++ xrootd-4.12.8/packaging/common/frm_xfrd@.service
@@ -6,6 +6,17 @@ Requires=network-online.target
 After=network-online.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 ExecStart=/usr/bin/frm_xfrd -l /var/log/xrootd/frm_xfrd.log -c 
/etc/xrootd/xrootd-%i.cfg -k fifo -s /var/run/xrootd/frm_xfrd-%i.pid -n %i
 User=xrootd
 Group=xrootd

++++++ harden_xrootd@.service.patch ++++++
Index: xrootd-4.12.8/packaging/common/xrootd@.service
===================================================================
--- xrootd-4.12.8.orig/packaging/common/xrootd@.service
+++ xrootd-4.12.8/packaging/common/xrootd@.service
@@ -6,6 +6,17 @@ Requires=network-online.target
 After=network-online.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 ExecStart=/usr/bin/xrootd -l /var/log/xrootd/xrootd.log -c 
/etc/xrootd/xrootd-%i.cfg -k fifo -s /var/run/xrootd/xrootd-%i.pid -n %i
 User=xrootd
 Group=xrootd