Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package deepin-api for openSUSE:Factory checked in at 2021-09-08 21:36:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/deepin-api (Old) and /work/SRC/openSUSE:Factory/.deepin-api.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "deepin-api" Wed Sep 8 21:36:38 2021 rev:5 rq:917586 version:5.4.9 Changes: -------- --- /work/SRC/openSUSE:Factory/deepin-api/deepin-api.changes 2021-08-29 21:34:16.410703169 +0200 +++ /work/SRC/openSUSE:Factory/.deepin-api.new.1899/deepin-api.changes 2021-09-08 21:36:59.777915136 +0200 @@ -1,0 +2,7 @@ +Wed Sep 1 12:35:22 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s). Added patch(es): + * harden_deepin-login-sound.service.patch + * harden_deepin-shutdown-sound.service.patch + +------------------------------------------------------------------- New: ---- harden_deepin-login-sound.service.patch harden_deepin-shutdown-sound.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ deepin-api.spec ++++++ --- /var/tmp/diff_new_pack.XnxGVn/_old 2021-09-08 21:37:00.517916003 +0200 +++ /var/tmp/diff_new_pack.XnxGVn/_new 2021-09-08 21:37:00.521916008 +0200 @@ -1,7 +1,7 @@ # # spec file for package deepin-api # -# Copyright (c) 2021 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2021 SUSE LLC # Copyright (c) 2021 Hillwood Yang <[email protected]> # # All modifications and additions to the file contributed by third parties @@ -13,7 +13,10 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + # %define provider github %define provider_tld com @@ -25,7 +28,8 @@ Version: 5.4.9 Release: 0 Summary: Go-lang bingding for dde-daemon -License: GPL-3.0+ +License: GPL-3.0-or-later +Group: System/GUI/Other URL: https://github.com/linuxdeepin/dde-api Source0: https://github.com/linuxdeepin/dde-api/archive/%{version}/%{repo}-%{version}.tar.gz Source1: vendor.tar.gz @@ -35,37 +39,38 @@ # PATCH-FIX-OPENSUSE disable-gosrc-install-in-makefile.patch [email protected] # Use goinstall macro instead of makefile Patch1: disable-gosrc-install-in-makefile.patch -Group: System/GUI/Other -BuildRequires: fdupes +Patch2: harden_deepin-login-sound.service.patch +Patch3: harden_deepin-shutdown-sound.service.patch BuildRequires: deepin-gettext-tools +BuildRequires: fdupes %if 0%{?suse_version} > 1500 BuildRequires: golang(API) = 1.15 %endif +BuildRequires: deepin-gir-generator +BuildRequires: deepin-sound-theme +BuildRequires: golang-github-linuxdeepin-go-dbus-factory >= 1.9.17 +BuildRequires: golang-github-linuxdeepin-go-lib +BuildRequires: golang-github-linuxdeepin-go-x11-client BuildRequires: golang-packaging -BuildRequires: pkgconfig(glib-2.0) +BuildRequires: systemd-rpm-macros +BuildRequires: update-desktop-files +BuildRequires: pkgconfig(alsa) BuildRequires: pkgconfig(cairo-ft) +BuildRequires: pkgconfig(gdk-pixbuf-xlib-2.0) BuildRequires: pkgconfig(gio-2.0) +BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(gtk+-3.0) -BuildRequires: pkgconfig(gdk-pixbuf-xlib-2.0) BuildRequires: pkgconfig(gudev-1.0) BuildRequires: pkgconfig(libcanberra) +BuildRequires: pkgconfig(libpulse-simple) BuildRequires: pkgconfig(librsvg-2.0) -BuildRequires: pkgconfig(poppler-glib) BuildRequires: pkgconfig(polkit-qt5-1) +BuildRequires: pkgconfig(poppler-glib) BuildRequires: pkgconfig(systemd) -BuildRequires: pkgconfig(xfixes) -BuildRequires: pkgconfig(xcursor) BuildRequires: pkgconfig(x11) +BuildRequires: pkgconfig(xcursor) +BuildRequires: pkgconfig(xfixes) BuildRequires: pkgconfig(xi) -BuildRequires: pkgconfig(libpulse-simple) -BuildRequires: pkgconfig(alsa) -BuildRequires: update-desktop-files -BuildRequires: deepin-sound-theme -BuildRequires: systemd-rpm-macros -BuildRequires: golang-github-linuxdeepin-go-lib -BuildRequires: golang-github-linuxdeepin-go-x11-client -BuildRequires: golang-github-linuxdeepin-go-dbus-factory >= 1.9.17 -BuildRequires: deepin-gir-generator Requires: deepin-desktop-base Requires: rfkill AutoReqProv: Off @@ -78,29 +83,28 @@ %package -n golang-%{provider}-%{project}-%{repo} Summary: DDE API golang codes Group: Development/Languages/Golang -Requires: pkgconfig(glib-2.0) +Requires: deepin-gir-generator +Requires: golang-github-linuxdeepin-go-dbus-factory >= 1.9.17 +Requires: golang-github-linuxdeepin-go-lib +Requires: golang-github-linuxdeepin-go-x11-client +Requires: pkgconfig(alsa) Requires: pkgconfig(cairo-ft) +Requires: pkgconfig(gdk-pixbuf-xlib-2.0) Requires: pkgconfig(gio-2.0) +Requires: pkgconfig(glib-2.0) Requires: pkgconfig(gtk+-3.0) -Requires: pkgconfig(gdk-pixbuf-xlib-2.0) Requires: pkgconfig(gudev-1.0) Requires: pkgconfig(libcanberra) +Requires: pkgconfig(libpulse-simple) Requires: pkgconfig(librsvg-2.0) -Requires: pkgconfig(poppler-glib) Requires: pkgconfig(polkit-qt5-1) +Requires: pkgconfig(poppler-glib) Requires: pkgconfig(systemd) -Requires: pkgconfig(xfixes) -Requires: pkgconfig(xcursor) Requires: pkgconfig(x11) +Requires: pkgconfig(xcursor) +Requires: pkgconfig(xfixes) Requires: pkgconfig(xi) -Requires: pkgconfig(libpulse-simple) -Requires: pkgconfig(alsa) -Requires: golang-github-linuxdeepin-go-lib -Requires: golang-github-linuxdeepin-go-x11-client -Requires: golang-github-linuxdeepin-go-dbus-factory >= 1.9.17 -Requires: deepin-gir-generator BuildArch: noarch -AutoReqProv: On AutoReq: Off %{go_provides} @@ -167,7 +171,6 @@ %postun %service_del_postun deepin-shutdown-sound.service deepin-login-sound.service - %files %doc README.md %license LICENSE @@ -191,7 +194,6 @@ %dir /var/lib/polkit-1/localauthority/10-vendor.d /var/lib/polkit-1/localauthority/10-vendor.d/com.deepin.api.device.pkla - %files -n golang-%{provider}-%{project}-%{repo} -f file.lst %changelog ++++++ harden_deepin-login-sound.service.patch ++++++ Index: dde-api-5.4.9/misc/systemd/system/deepin-login-sound.service =================================================================== --- dde-api-5.4.9.orig/misc/systemd/system/deepin-login-sound.service +++ dde-api-5.4.9/misc/systemd/system/deepin-login-sound.service @@ -4,6 +4,19 @@ Requires=sound.target After=dbus.service lightdm.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=oneshot ExecStart=/usr/bin/dbus-send --system --dest=com.deepin.api.SoundThemePlayer --print-reply /com/deepin/api/SoundThemePlayer com.deepin.api.SoundThemePlayer.PlaySoundDesktopLogin RemainAfterExit=yes ++++++ harden_deepin-shutdown-sound.service.patch ++++++ Index: dde-api-5.4.9/misc/systemd/system/deepin-shutdown-sound.service =================================================================== --- dde-api-5.4.9.orig/misc/systemd/system/deepin-shutdown-sound.service +++ dde-api-5.4.9/misc/systemd/system/deepin-shutdown-sound.service @@ -5,6 +5,19 @@ After=sound.target local-fs.target Before=systemd-logind.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=simple ExecStart=/usr/bin/true ExecStop=/usr/lib/deepin-api/deepin-shutdown-sound
