Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package nsd for openSUSE:Factory checked in at 2021-10-13 18:06:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nsd (Old) and /work/SRC/openSUSE:Factory/.nsd.new.2443 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nsd" Wed Oct 13 18:06:13 2021 rev:24 rq:925093 version:4.3.8 Changes: -------- --- /work/SRC/openSUSE:Factory/nsd/nsd.changes 2021-10-12 21:51:33.944061752 +0200 +++ /work/SRC/openSUSE:Factory/.nsd.new.2443/nsd.changes 2021-10-13 18:10:06.207652379 +0200 @@ -1,0 +2,19 @@ +Wed Oct 13 12:45:45 UTC 2021 - Michael Str??der <mich...@stroeder.com> + +- set RestrictAddressFamilies= in nsd.service + +------------------------------------------------------------------- +Tue Oct 12 20:19:52 UTC 2021 - Michael Str??der <mich...@stroeder.com> + +- reworked nsd.service: + * directly start as User=_nsd + * even more hardening + * removed commented and unused directives + +------------------------------------------------------------------- +Tue Oct 12 20:01:24 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * nsd.service + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nsd.service ++++++ --- /var/tmp/diff_new_pack.LJLE6D/_old 2021-10-13 18:10:06.907653477 +0200 +++ /var/tmp/diff_new_pack.LJLE6D/_new 2021-10-13 18:10:06.907653477 +0200 @@ -5,11 +5,40 @@ [Service] Type=simple PIDFile=/run/nsd/nsd.pid -#EnvironmentFile=-/etc/sysconfig/nsd -#ExecStart=/usr/sbin/nsd -D -c /etc/nsd/nsd.conf $OTHER_NSD_OPTS ExecStart=/usr/sbin/nsd -d -c /etc/nsd/nsd.conf ExecStopPost=/bin/rm -f /var/lib/nsd/xfrd.state +User=_nsd +Group=_nsd + +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions + +# even more hardening options +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK +PrivateTmp=yes +NoNewPrivileges=yes +MountFlags=private +LockPersonality=yes +KeyringMode=private +RestrictNamespaces=yes +RestrictSUIDSGID=yes +DevicePolicy=closed +MemoryDenyWriteExecute=yes +SystemCallArchitectures=native +SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount @raw-io @reboot @swap @obsolete @chown @privileged @resources @pkey @setuid [Install] WantedBy=multi-user.target -
