Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fonehome for openSUSE:Factory checked in at 2021-09-21 21:13:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fonehome (Old) and /work/SRC/openSUSE:Factory/.fonehome.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fonehome" Tue Sep 21 21:13:28 2021 rev:13 rq:920675 version:1.2.1 Changes: -------- --- /work/SRC/openSUSE:Factory/fonehome/fonehome.changes 2021-06-23 17:38:16.456474966 +0200 +++ /work/SRC/openSUSE:Factory/.fonehome.new.1899/fonehome.changes 2021-09-21 21:14:25.598725757 +0200 @@ -1,0 +2,6 @@ +Tue Sep 14 15:58:18 UTC 2021 - Archie Cobbs <archie.co...@gmail.com> + +- Added hardening to systemd service(s) (bsc#1181400) + * Added patch harden_fonehome.service.patch + +------------------------------------------------------------------- New: ---- harden_fonehome.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fonehome.spec ++++++ --- /var/tmp/diff_new_pack.jpKEPk/_old 2021-09-21 21:14:26.002726214 +0200 +++ /var/tmp/diff_new_pack.jpKEPk/_new 2021-09-21 21:14:26.006726219 +0200 @@ -50,6 +50,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch Source: %{name}-%{version}.tar.gz +Patch0: harden_fonehome.service.patch URL: https://github.com/archiecobbs/%{name}/ Requires: bc Requires: findutils @@ -75,6 +76,12 @@ %prep %setup +%patch0 -p1 + +# Avoid "Unknown key name 'XXX' in section 'Service', ignoring." warnings from systemd on older releases +%if 0%{?is_opensuse} && 0%{?sle_version} < 150300 +sed -r -i '/^(Protect(Home|Hostname|KernelLogs)|PrivateMounts)=/d' src/unit/fonehome.service +%endif %build subst() ++++++ harden_fonehome.service.patch ++++++ Index: fonehome-1.2.1/src/unit/fonehome.service =================================================================== --- fonehome-1.2.1.orig/src/unit/fonehome.service +++ fonehome-1.2.1/src/unit/fonehome.service @@ -5,6 +5,16 @@ After=network.target syslog.socket [Service] +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true ExecStart=@fonehomescript@ Restart=always RestartSec=30s