commit mariadb for openSUSE:Factory

Source-Sync Sun, 31 Oct 2021 14:57:36 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package mariadb for openSUSE:Factory checked 
in at 2021-10-31 22:55:35
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mariadb (Old)
 and      /work/SRC/openSUSE:Factory/.mariadb.new.1890 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "mariadb"

Sun Oct 31 22:55:35 2021 rev:115 rq:928153 version:10.6.4

Changes:
--------
--- /work/SRC/openSUSE:Factory/mariadb/mariadb.changes  2021-10-11 
16:48:37.082167952 +0200
+++ /work/SRC/openSUSE:Factory/.mariadb.new.1890/mariadb.changes        
2021-10-31 22:56:16.115727130 +0100
@@ -6,0 +7,8 @@
+Wed Oct  6 11:43:40 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_mariadb.service.patch
+  Modified:
+  * mariadb.service.in
+
+-------------------------------------------------------------------

New:
----
  harden_mariadb.service.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ mariadb.spec ++++++
--- /var/tmp/diff_new_pack.eirSiW/_old  2021-10-31 22:56:17.195727960 +0100
+++ /var/tmp/diff_new_pack.eirSiW/_new  2021-10-31 22:56:17.199727963 +0100
@@ -79,6 +79,7 @@
 Patch5:         mariadb-10.2.19-link-and-enable-c++11-atomics.patch
 Patch6:         mariadb-10.4.12-harden_setuid.patch
 Patch7:         mariadb-10.4.12-fix-install-db.patch
+Patch8:        harden_mariadb.service.patch
 # needed for bison SQL parser and wsrep API
 BuildRequires:  bison
 BuildRequires:  cmake
@@ -364,6 +365,7 @@
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
 
 cp %{_sourcedir}/suse-test-run .
 

++++++ harden_mariadb.service.patch ++++++
Index: mariadb-10.6.4/support-files/mariadb.service.in
===================================================================
--- mariadb-10.6.4.orig/support-files/mariadb.service.in
+++ mariadb-10.6.4/support-files/mariadb.service.in
@@ -29,6 +29,16 @@ WantedBy=multi-user.target
 
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 
 ##############################################################################
 ## Core requirements

++++++ mariadb.service.in ++++++
--- /var/tmp/diff_new_pack.eirSiW/_old  2021-10-31 22:56:17.335728067 +0100
+++ /var/tmp/diff_new_pack.eirSiW/_new  2021-10-31 22:56:17.339728070 +0100
@@ -63,6 +63,17 @@
 
 # Prevent accessing /home, /root and /run/user
 ProtectHome=true
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 
 # Execute pre and post scripts as root, otherwise it does it as User=
 PermissionsStartOnly=true

commit mariadb for openSUSE:Factory

Reply via email to