Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keepalived for openSUSE:Factory checked in at 2021-10-01 22:29:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/keepalived (Old) and /work/SRC/openSUSE:Factory/.keepalived.new.2443 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "keepalived" Fri Oct 1 22:29:14 2021 rev:37 rq:922645 version:2.2.2 Changes: -------- --- /work/SRC/openSUSE:Factory/keepalived/keepalived.changes 2021-07-21 19:08:07.039472633 +0200 +++ /work/SRC/openSUSE:Factory/.keepalived.new.2443/keepalived.changes 2021-10-01 22:29:47.913456642 +0200 @@ -1,0 +2,6 @@ +Mon Sep 27 07:39:33 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_keepalived.service.patch + +------------------------------------------------------------------- New: ---- harden_keepalived.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ keepalived.spec ++++++ --- /var/tmp/diff_new_pack.fKOclP/_old 2021-10-01 22:29:48.333457418 +0200 +++ /var/tmp/diff_new_pack.fKOclP/_new 2021-10-01 22:29:48.337457425 +0200 @@ -54,6 +54,7 @@ Patch1: keepalive-init.patch # PATCH-FIX-UPSTREAM: https://github.com/acassen/keepalived/pull/1915 Patch2: 1915.patch +Patch3: harden_keepalived.service.patch BuildRequires: file-devel BuildRequires: net-snmp-devel BuildRequires: pkgconfig @@ -104,6 +105,7 @@ %patch1 -p1 %patch2 -p1 chmod 644 doc/samples/* +%patch3 -p1 %build export STRIP=true ++++++ harden_keepalived.service.patch ++++++ Index: keepalived-2.2.2/keepalived/keepalived.service.in =================================================================== --- keepalived-2.2.2.orig/keepalived/keepalived.service.in +++ keepalived-2.2.2/keepalived/keepalived.service.in @@ -4,6 +4,19 @@ After=network-online.target syslog.targe Wants=network-online.target @SNMP_SERVICE@ [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=@SYSTEMD_SERVICE_TYPE@ PIDFile=@RUN_DIR@/run/keepalived.pid KillMode=process
