commit tor for openSUSE:Factory

Thu, 28 Jan 2021 12:22:48 -0800 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tor for openSUSE:Factory checked in 
at 2021-01-28 21:22:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tor (Old)
 and      /work/SRC/openSUSE:Factory/.tor.new.28504 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "tor"

Thu Jan 28 21:22:32 2021 rev:87 rq:867314 version:0.4.4.6

Changes:
--------
--- /work/SRC/openSUSE:Factory/tor/tor.changes  2020-11-13 19:00:36.958217525 
+0100
+++ /work/SRC/openSUSE:Factory/.tor.new.28504/tor.changes       2021-01-28 
21:22:33.055651952 +0100
@@ -1,0 +2,5 @@
+Wed Jan 27 06:16:46 UTC 2021 - Bernhard Wiedemann <bwiedem...@suse.com>
+
+- Restrict service permissions with systemd
+
+-------------------------------------------------------------------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ defaults-torrc ++++++
--- /var/tmp/diff_new_pack.dQI2hs/_old  2021-01-28 21:22:34.839654779 +0100
+++ /var/tmp/diff_new_pack.dQI2hs/_new  2021-01-28 21:22:34.839654779 +0100
@@ -1,6 +1,6 @@
 DataDirectory /var/lib/tor
 PidFile /var/run/tor/tor.pid
-User tor
+#User tor # handled instead via tor.service
 Log notice file /var/log/tor/tor.log
 #Log notice syslog
 


++++++ tor.service ++++++
--- /var/tmp/diff_new_pack.dQI2hs/_old  2021-01-28 21:22:34.911654893 +0100
+++ /var/tmp/diff_new_pack.dQI2hs/_new  2021-01-28 21:22:34.915654899 +0100
@@ -7,8 +7,9 @@
 [Service]
 Type=notify
 NotifyAccess=all
-ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc 
/usr/share/tor/defaults-torrc -f /etc/tor/torrc --verify-config
-ExecStart=/usr/bin/tor --runasdaemon 0 --defaults-torrc 
/usr/share/tor/defaults-torrc -f /etc/tor/torrc
+User=tor
+ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc 
/usr/share/tor/defaults-torrc -f /etc/tor/torrc --verify-config --user tor
+ExecStart=+/usr/bin/tor --runasdaemon 0 --defaults-torrc 
/usr/share/tor/defaults-torrc -f /etc/tor/torrc --user tor
 ExecReload=/bin/kill -HUP ${MAINPID}
 KillSignal=SIGINT
 TimeoutSec=30
@@ -18,18 +19,35 @@
 LimitNOFILE=32768
 
 # Hardening
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE 
CAP_DAC_READ_SEARCH
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PermissionsStartOnly=yes
+PrivateDevices=yes
+PrivateNetwork=no
+PrivateUsers=yes
 PrivateTmp=yes
-DeviceAllow=/dev/null rw
-DeviceAllow=/dev/urandom r
+ProtectClock=yes
+ProtectControlGroups=yes
 ProtectHome=yes
-#ProtectSystem=full
-ReadOnlyDirectories=/run
-ReadOnlyDirectories=/var
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ProtectHostname=yes
+ReadOnlyDirectories=/
 ReadWriteDirectories=/run/tor
 ReadWriteDirectories=/var/lib/tor
 ReadWriteDirectories=/var/log/tor
-CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE 
CAP_DAC_READ_SEARCH
-PermissionsStartOnly=yes
+RemoveIPC=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @obsolete @raw-io @mount @module @debug 
@clock @reboot @swap
+UMask=77
 
 [Install]
 WantedBy=multi-user.target

Reply via email to