Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package atop for openSUSE:Factory checked in at 2021-08-23 10:08:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/atop (Old) and /work/SRC/openSUSE:Factory/.atop.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "atop" Mon Aug 23 10:08:19 2021 rev:7 rq:913494 version:2.6.0 Changes: -------- --- /work/SRC/openSUSE:Factory/atop/atop.changes 2021-06-01 10:41:10.261191952 +0200 +++ /work/SRC/openSUSE:Factory/.atop.new.1899/atop.changes 2021-08-23 10:09:33.972148696 +0200 @@ -1,0 +2,9 @@ +Wed Aug 11 08:40:14 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Added hardening to systemd service(s). Added patch(es): + * harden_atop-rotate.service.patch + *harden_atop.service.patch + *harden_atopacct.service.patch + *harden_atopgpu.service.patch + +------------------------------------------------------------------- New: ---- harden_atop-rotate.service.patch harden_atop.service.patch harden_atopacct.service.patch harden_atopgpu.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ atop.spec ++++++ --- /var/tmp/diff_new_pack.JGkkfu/_old 2021-08-23 10:09:34.576147992 +0200 +++ /var/tmp/diff_new_pack.JGkkfu/_new 2021-08-23 10:09:34.576147992 +0200 @@ -29,6 +29,10 @@ Source2: atop.default Source99: atop-rpmlintrc Patch0: atop-makefile.patch +Patch1: harden_atop-rotate.service.patch +Patch2: harden_atop.service.patch +Patch3: harden_atopacct.service.patch +Patch4: harden_atopgpu.service.patch BuildRequires: gcc BuildRequires: glibc-devel BuildRequires: make ++++++ harden_atop-rotate.service.patch ++++++ Index: atop-2.6.0/atop-rotate.service =================================================================== --- atop-2.6.0.orig/atop-rotate.service +++ atop-2.6.0/atop-rotate.service @@ -2,5 +2,18 @@ Description=Restart atop daemon to rotate logs [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=oneshot ExecStart=/usr/bin/systemctl try-restart atop.service ++++++ harden_atop.service.patch ++++++ Index: atop-2.6.0/atop.service =================================================================== --- atop-2.6.0.orig/atop.service +++ atop-2.6.0/atop.service @@ -3,6 +3,19 @@ Description=Atop advanced performance mo Documentation=man:atop(1) [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Environment=LOGOPTS="" Environment=LOGINTERVAL=600 Environment=LOGGENERATIONS=28 ++++++ harden_atopacct.service.patch ++++++ Index: atop-2.6.0/atopacct.service =================================================================== --- atop-2.6.0.orig/atopacct.service +++ atop-2.6.0/atopacct.service @@ -6,6 +6,19 @@ After=syslog.target Before=atop.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking PIDFile=/var/run/atopacctd.pid ExecStart=/usr/sbin/atopacctd ++++++ harden_atopgpu.service.patch ++++++ Index: atop-2.6.0/atopgpu.service =================================================================== --- atop-2.6.0.orig/atopgpu.service +++ atop-2.6.0/atopgpu.service @@ -5,6 +5,19 @@ After=syslog.target Before=atop.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions ExecStart=/usr/sbin/atopgpud Type=oneshot RemainAfterExit=yes
