Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package firehol for openSUSE:Factory checked in at 2022-02-13 19:51:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/firehol (Old) and /work/SRC/openSUSE:Factory/.firehol.new.1956 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "firehol" Sun Feb 13 19:51:04 2022 rev:5 rq:954074 version:3.1.7 Changes: -------- --- /work/SRC/openSUSE:Factory/firehol/firehol.changes 2021-01-01 21:14:14.247421203 +0100 +++ /work/SRC/openSUSE:Factory/.firehol.new.1956/firehol.changes 2022-02-13 19:51:48.298334529 +0100 @@ -1,0 +2,7 @@ +Tue Sep 14 09:37:49 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_firehol.service.patch + * harden_fireqos.service.patch + +------------------------------------------------------------------- New: ---- harden_firehol.service.patch harden_fireqos.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ firehol.spec ++++++ --- /var/tmp/diff_new_pack.UonrRc/_old 2022-02-13 19:51:48.898336128 +0100 +++ /var/tmp/diff_new_pack.UonrRc/_new 2022-02-13 19:51:48.902336138 +0100 @@ -25,6 +25,8 @@ URL: https://firehol.org/ Source: https://github.com/firehol/firehol/releases/download/v%{version}/firehol-%{version}.tar.xz Source99: %{name}-rpmlintrc +Patch0: harden_firehol.service.patch +Patch1: harden_fireqos.service.patch BuildRequires: curl BuildRequires: fdupes BuildRequires: git-core @@ -90,6 +92,8 @@ %prep %setup -q +%patch0 -p1 +%patch1 -p1 %build %configure --docdir=%{_docdir}/%{name} ++++++ harden_firehol.service.patch ++++++ Index: firehol-3.1.7/contrib/firehol.service =================================================================== --- firehol-3.1.7.orig/contrib/firehol.service +++ firehol-3.1.7/contrib/firehol.service @@ -14,6 +14,17 @@ Conflicts=shutdown.target Before=shutdown.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=oneshot RemainAfterExit=yes ExecStart=/usr/sbin/firehol start ++++++ harden_fireqos.service.patch ++++++ Index: firehol-3.1.7/contrib/fireqos.service =================================================================== --- firehol-3.1.7.orig/contrib/fireqos.service +++ firehol-3.1.7/contrib/fireqos.service @@ -5,6 +5,17 @@ After=network-online.target Wants=network-online.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=oneshot ExecStart=/usr/sbin/fireqos start ExecStop=/usr/sbin/fireqos stop
