Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rpcbind for openSUSE:Factory checked in at 2023-04-29 17:27:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rpcbind (Old) and /work/SRC/openSUSE:Factory/.rpcbind.new.1533 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rpcbind" Sat Apr 29 17:27:40 2023 rev:68 rq:1083350 version:1.2.6 Changes: -------- --- /work/SRC/openSUSE:Factory/rpcbind/rpcbind.changes 2023-01-27 10:22:06.125383766 +0100 +++ /work/SRC/openSUSE:Factory/.rpcbind.new.1533/rpcbind.changes 2023-04-29 17:27:48.466458565 +0200 @@ -11,0 +12,6 @@ +Tue Nov 16 07:39:53 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_rpcbind.service.patch + +------------------------------------------------------------------- New: ---- harden_rpcbind.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rpcbind.spec ++++++ --- /var/tmp/diff_new_pack.4e1v7W/_old 2023-04-29 17:27:49.026460910 +0200 +++ /var/tmp/diff_new_pack.4e1v7W/_new 2023-04-29 17:27:49.030460927 +0200 @@ -33,6 +33,7 @@ Source5: rpc-user.conf Patch1: 0001-systemd-unit-files.patch Patch2: 0001-change-lockingdir-to-run.patch +Patch3: harden_rpcbind.service.patch BuildRequires: libtirpc-devel >= 1.0.1 BuildRequires: libtool BuildRequires: pkgconfig ++++++ harden_rpcbind.service.patch ++++++ Index: rpcbind-1.2.6/systemd/rpcbind.service.in =================================================================== --- rpcbind-1.2.6.orig/systemd/rpcbind.service.in +++ rpcbind-1.2.6/systemd/rpcbind.service.in @@ -11,6 +11,19 @@ Wants=rpcbind.target After=sysinit.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=notify # distro can provide a drop-in adding EnvironmentFile=-/??? if needed. EnvironmentFile=-/etc/sysconfig/rpcbind
