Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package chrony for openSUSE:Factory checked 
in at 2021-09-08 21:36:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/chrony (Old)
 and      /work/SRC/openSUSE:Factory/.chrony.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "chrony"

Wed Sep  8 21:36:16 2021 rev:32 rq:916851 version:4.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/chrony/chrony.changes    2021-07-04 
22:10:31.469330410 +0200
+++ /work/SRC/openSUSE:Factory/.chrony.new.1899/chrony.changes  2021-09-08 
21:36:17.673866065 +0200
@@ -1,0 +2,7 @@
+Mon Aug 30 13:50:07 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Added hardening to systemd service(s). Added patch(es):
+  * harden_chrony-wait.service.patch
+  * harden_chronyd.service.patch
+
+-------------------------------------------------------------------

New:
----
  harden_chrony-wait.service.patch
  harden_chronyd.service.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ chrony.spec ++++++
--- /var/tmp/diff_new_pack.EjWtld/_old  2021-09-08 21:36:18.637867185 +0200
+++ /var/tmp/diff_new_pack.EjWtld/_new  2021-09-08 21:36:18.641867190 +0200
@@ -55,6 +55,8 @@
 Patch2:         chrony-logrotate.patch
 Patch3:         chrony-service-ordering.patch
 Patch4:         chrony-refid-internal-md5.patch
+Patch5:         harden_chrony-wait.service.patch
+Patch6:         harden_chronyd.service.patch
 BuildRequires:  NetworkManager-devel
 BuildRequires:  bison
 BuildRequires:  gcc-c++
@@ -155,6 +157,8 @@
 %patch2 -p1
 %patch3
 %patch4
+%patch5 -p1
+%patch6 -p1
 
 # Remove pool statements from the default /etc/chrony.conf. They will
 # be provided by branding packages in /etc/chrony.d/pool.conf .



++++++ harden_chrony-wait.service.patch ++++++
Index: chrony-4.1/examples/chrony-wait.service
===================================================================
--- chrony-4.1.orig/examples/chrony-wait.service
+++ chrony-4.1/examples/chrony-wait.service
@@ -7,6 +7,19 @@ Before=time-sync.target
 Wants=time-sync.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=oneshot
 # Wait for chronyd to update the clock and the remaining
 # correction to be less than 0.1 seconds
++++++ harden_chronyd.service.patch ++++++
Index: chrony-4.1/examples/chronyd.service
===================================================================
--- chrony-4.1.orig/examples/chronyd.service
+++ chrony-4.1/examples/chronyd.service
@@ -17,6 +17,15 @@ ExecStart=/usr/sbin/chronyd $OPTIONS
 PrivateTmp=yes
 ProtectHome=yes
 ProtectSystem=full
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+PrivateDevices=true
+ProtectHostname=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+DeviceAllow=char-rtc
+# end of automatic additions 
 
 [Install]
 WantedBy=multi-user.target

Reply via email to