Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package lirc for openSUSE:Factory checked in at 2021-10-11 15:30:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lirc (Old) and /work/SRC/openSUSE:Factory/.lirc.new.2443 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lirc" Mon Oct 11 15:30:20 2021 rev:72 rq:923412 version:0.10.1 Changes: -------- --- /work/SRC/openSUSE:Factory/lirc/lirc.changes 2021-03-11 20:08:08.472259450 +0100 +++ /work/SRC/openSUSE:Factory/.lirc.new.2443/lirc.changes 2021-10-11 15:30:29.486736672 +0200 @@ -1,0 +2,22 @@ +Tue Oct 5 12:06:44 UTC 2021 - Dominique Leuenberger <dims...@opensuse.org> + +- Revert "Require typelib packages": better to have rpm auto-detect + them. +- Add gobject-introspection BuildRequires to have the typelib dep + scanner on board. + +------------------------------------------------------------------- +Tue Oct 5 11:43:13 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_irexec.service.patch + * harden_lircd-uinput.service.patch + * harden_lircd.service.patch + * harden_lircmd.service.patch + +------------------------------------------------------------------- +Sun Aug 8 01:55:41 UTC 2021 - Stanislav Brabec <sbra...@suse.com> + +- Require typelib packages, otherwise lirc-setup fails to start. + +------------------------------------------------------------------- New: ---- harden_irexec.service.patch harden_lircd-uinput.service.patch harden_lircd.service.patch harden_lircmd.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lirc.spec ++++++ --- /var/tmp/diff_new_pack.9gjrcS/_old 2021-10-11 15:30:30.202737821 +0200 +++ /var/tmp/diff_new_pack.9gjrcS/_new 2021-10-11 15:30:30.202737821 +0200 @@ -32,8 +32,13 @@ Source0: https://downloads.sourceforge.net/project/lirc/LIRC/%{version}/lirc-%{version}.tar.bz2 Source1: baselibs.conf Patch0: reproducible.patch +Patch1: harden_irexec.service.patch +Patch2: harden_lircd-uinput.service.patch +Patch3: harden_lircd.service.patch +Patch4: harden_lircmd.service.patch BuildRequires: fdupes BuildRequires: gcc-c++ +BuildRequires: gobject-introspection BuildRequires: kmod-compat BuildRequires: libxslt-tools # for hw_atilibusb driver @@ -195,6 +200,10 @@ # Don't provide or require anything from _docdir, per policy. %global __provides_exclude_from ^%{_docdir}/.*$ %global __requires_exclude_from ^%{_docdir}/.*$ +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 sed -i -e 's|/usr/local/etc/|%{_sysconfdir}/|' contrib/irman2lirc sed -i -e 's/#effective-user/effective-user /' lirc_options.conf @@ -251,6 +260,7 @@ %postun -n liblirc_driver0 -p /sbin/ldconfig %postun -n liblirc0 -p /sbin/ldconfig %postun -n libirrecord0 -p /sbin/ldconfig + %pre core getent group lirc >/dev/null || groupadd -r lirc getent passwd lirc >/dev/null || \ ++++++ harden_irexec.service.patch ++++++ Index: lirc-0.10.1/systemd/irexec.service =================================================================== --- lirc-0.10.1.orig/systemd/irexec.service +++ lirc-0.10.1/systemd/irexec.service @@ -5,6 +5,16 @@ Documentation=http://lirc.org/html/confi Description=Handle events from IR remotes decoded by lircd(8) [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions ; user=lirc ; group=lirc ++++++ harden_lircd-uinput.service.patch ++++++ Index: lirc-0.10.1/systemd/lircd-uinput.service =================================================================== --- lirc-0.10.1.orig/systemd/lircd-uinput.service +++ lirc-0.10.1/systemd/lircd-uinput.service @@ -5,6 +5,16 @@ Documentation=http://lirc.org/html/confi Description=Forward LIRC button presses as uinput events [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=simple ExecStart=/usr/sbin/lircd-uinput ; user=lirc ++++++ harden_lircd.service.patch ++++++ Index: lirc-0.10.1/systemd/lircd.service =================================================================== --- lirc-0.10.1.orig/systemd/lircd.service +++ lirc-0.10.1/systemd/lircd.service @@ -6,6 +6,16 @@ Wants=lircd-setup.service After=network.target lircd-setup.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=simple ExecStart=/usr/sbin/lircd --nodaemon ; User=lirc ++++++ harden_lircmd.service.patch ++++++ Index: lirc-0.10.1/systemd/lircmd.service =================================================================== --- lirc-0.10.1.orig/systemd/lircmd.service +++ lirc-0.10.1/systemd/lircmd.service @@ -5,6 +5,16 @@ Documentation=http://lirc.org/html/confi Description=Convert IR remotes button presses to mouse movements and clicks [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=simple ExecStart=/usr/sbin/lircmd --nodaemon ; user=lirc
