Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package chrony for openSUSE:Factory checked in at 2021-09-08 21:36:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/chrony (Old) and /work/SRC/openSUSE:Factory/.chrony.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "chrony" Wed Sep 8 21:36:16 2021 rev:32 rq:916851 version:4.1 Changes: -------- --- /work/SRC/openSUSE:Factory/chrony/chrony.changes 2021-07-04 22:10:31.469330410 +0200 +++ /work/SRC/openSUSE:Factory/.chrony.new.1899/chrony.changes 2021-09-08 21:36:17.673866065 +0200 @@ -1,0 +2,7 @@ +Mon Aug 30 13:50:07 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Added hardening to systemd service(s). Added patch(es): + * harden_chrony-wait.service.patch + * harden_chronyd.service.patch + +------------------------------------------------------------------- New: ---- harden_chrony-wait.service.patch harden_chronyd.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ chrony.spec ++++++ --- /var/tmp/diff_new_pack.EjWtld/_old 2021-09-08 21:36:18.637867185 +0200 +++ /var/tmp/diff_new_pack.EjWtld/_new 2021-09-08 21:36:18.641867190 +0200 @@ -55,6 +55,8 @@ Patch2: chrony-logrotate.patch Patch3: chrony-service-ordering.patch Patch4: chrony-refid-internal-md5.patch +Patch5: harden_chrony-wait.service.patch +Patch6: harden_chronyd.service.patch BuildRequires: NetworkManager-devel BuildRequires: bison BuildRequires: gcc-c++ @@ -155,6 +157,8 @@ %patch2 -p1 %patch3 %patch4 +%patch5 -p1 +%patch6 -p1 # Remove pool statements from the default /etc/chrony.conf. They will # be provided by branding packages in /etc/chrony.d/pool.conf . ++++++ harden_chrony-wait.service.patch ++++++ Index: chrony-4.1/examples/chrony-wait.service =================================================================== --- chrony-4.1.orig/examples/chrony-wait.service +++ chrony-4.1/examples/chrony-wait.service @@ -7,6 +7,19 @@ Before=time-sync.target Wants=time-sync.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=oneshot # Wait for chronyd to update the clock and the remaining # correction to be less than 0.1 seconds ++++++ harden_chronyd.service.patch ++++++ Index: chrony-4.1/examples/chronyd.service =================================================================== --- chrony-4.1.orig/examples/chronyd.service +++ chrony-4.1/examples/chronyd.service @@ -17,6 +17,15 @@ ExecStart=/usr/sbin/chronyd $OPTIONS PrivateTmp=yes ProtectHome=yes ProtectSystem=full +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectHostname=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +DeviceAllow=char-rtc +# end of automatic additions [Install] WantedBy=multi-user.target
