commit fonehome for openSUSE:Factory

Tue, 21 Sep 2021 12:15:23 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package fonehome for openSUSE:Factory 
checked in at 2021-09-21 21:13:28
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/fonehome (Old)
 and      /work/SRC/openSUSE:Factory/.fonehome.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "fonehome"

Tue Sep 21 21:13:28 2021 rev:13 rq:920675 version:1.2.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/fonehome/fonehome.changes        2021-06-23 
17:38:16.456474966 +0200
+++ /work/SRC/openSUSE:Factory/.fonehome.new.1899/fonehome.changes      
2021-09-21 21:14:25.598725757 +0200
@@ -1,0 +2,6 @@
+Tue Sep 14 15:58:18 UTC 2021 - Archie Cobbs <archie.co...@gmail.com>
+
+- Added hardening to systemd service(s) (bsc#1181400)
+  * Added patch harden_fonehome.service.patch
+
+-------------------------------------------------------------------

New:
----
  harden_fonehome.service.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ fonehome.spec ++++++
--- /var/tmp/diff_new_pack.jpKEPk/_old  2021-09-21 21:14:26.002726214 +0200
+++ /var/tmp/diff_new_pack.jpKEPk/_new  2021-09-21 21:14:26.006726219 +0200
@@ -50,6 +50,7 @@
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
 Source:         %{name}-%{version}.tar.gz
+Patch0:         harden_fonehome.service.patch
 URL:            https://github.com/archiecobbs/%{name}/
 Requires:       bc
 Requires:       findutils
@@ -75,6 +76,12 @@
 
 %prep
 %setup
+%patch0 -p1
+
+# Avoid "Unknown key name 'XXX' in section 'Service', ignoring." warnings from 
systemd on older releases
+%if 0%{?is_opensuse} && 0%{?sle_version} < 150300
+sed -r -i '/^(Protect(Home|Hostname|KernelLogs)|PrivateMounts)=/d' 
src/unit/fonehome.service
+%endif
 
 %build
 subst()

++++++ harden_fonehome.service.patch ++++++
Index: fonehome-1.2.1/src/unit/fonehome.service
===================================================================
--- fonehome-1.2.1.orig/src/unit/fonehome.service
+++ fonehome-1.2.1/src/unit/fonehome.service
@@ -5,6 +5,16 @@
 After=network.target syslog.socket
 
 [Service]
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
 ExecStart=@fonehomescript@
 Restart=always
 RestartSec=30s

Reply via email to