Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package brickd for openSUSE:Factory checked in at 2021-11-09 23:55:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/brickd (Old) and /work/SRC/openSUSE:Factory/.brickd.new.1890 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "brickd" Tue Nov 9 23:55:11 2021 rev:4 rq:930528 version:2.4.3 Changes: -------- --- /work/SRC/openSUSE:Factory/brickd/brickd.changes 2020-12-15 12:33:09.544134445 +0100 +++ /work/SRC/openSUSE:Factory/.brickd.new.1890/brickd.changes 2021-11-09 23:55:39.507984667 +0100 @@ -1,0 +2,7 @@ +Wed Aug 25 11:21:31 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Added hardening to systemd service(s). Added patch(es): + * harden_brickd-resume.service.patch + * harden_brickd.service.patch + +------------------------------------------------------------------- New: ---- harden_brickd-resume.service.patch harden_brickd.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ brickd.spec ++++++ --- /var/tmp/diff_new_pack.JduSIX/_old 2021-11-09 23:55:40.019984927 +0100 +++ /var/tmp/diff_new_pack.JduSIX/_new 2021-11-09 23:55:40.023984929 +0100 @@ -1,7 +1,7 @@ # # spec file for package brickd # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # Copyright (c) 2019 Frank Kunz # # All modifications and additions to the file contributed by third parties @@ -26,6 +26,8 @@ URL: http://www.tinkerforge.com Source0: https://github.com/Tinkerforge/brickd/archive/v%{version}.tar.gz Source1: https://github.com/Tinkerforge/daemonlib/archive/brickd-%{version}.tar.gz +Patch0: harden_brickd-resume.service.patch +Patch1: harden_brickd.service.patch BuildRequires: pkgconfig(libusb) BuildRequires: pkgconfig(systemd) Suggests: logrotate @@ -38,6 +40,8 @@ %prep %setup -q -a 1 -n %{name}-%{version} mv daemonlib-%{name}-%{version} src/daemonlib +%patch0 -p1 +%patch1 -p1 %build pushd src/brickd ++++++ harden_brickd-resume.service.patch ++++++ Index: brickd-2.4.3/src/build_data/linux/installer/lib/systemd/system/brickd-resume.service =================================================================== --- brickd-2.4.3.orig/src/build_data/linux/installer/lib/systemd/system/brickd-resume.service +++ brickd-2.4.3/src/build_data/linux/installer/lib/systemd/system/brickd-resume.service @@ -4,6 +4,17 @@ After=suspend.target Requisite=brickd.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions User=root Type=oneshot ExecStart=/usr/bin/pkill -F /var/run/brickd.pid -L -USR1 ++++++ harden_brickd.service.patch ++++++ Index: brickd-2.4.3/src/build_data/linux/installer/lib/systemd/system/brickd.service =================================================================== --- brickd-2.4.3.orig/src/build_data/linux/installer/lib/systemd/system/brickd.service +++ brickd-2.4.3/src/build_data/linux/installer/lib/systemd/system/brickd.service @@ -3,6 +3,17 @@ Description=Brick Daemon After=network.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking ExecStart=/usr/bin/brickd --daemon PIDFile=/var/run/brickd.pid
