commit rtkit for openSUSE:Factory

Mon, 22 Nov 2021 14:06:01 -0800 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rtkit for openSUSE:Factory checked 
in at 2021-11-22 23:03:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rtkit (Old)
 and      /work/SRC/openSUSE:Factory/.rtkit.new.1895 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "rtkit"

Mon Nov 22 23:03:45 2021 rev:31 rq:932435 version:0.13

Changes:
--------
--- /work/SRC/openSUSE:Factory/rtkit/rtkit.changes      2021-06-05 
23:30:37.056342555 +0200
+++ /work/SRC/openSUSE:Factory/.rtkit.new.1895/rtkit.changes    2021-11-22 
23:03:53.905989541 +0100
@@ -1,0 +2,6 @@
+Tue Nov 16 10:49:44 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_rtkit-daemon.service.patch
+
+-------------------------------------------------------------------

New:
----
  harden_rtkit-daemon.service.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ rtkit.spec ++++++
--- /var/tmp/diff_new_pack.BoNX9w/_old  2021-11-22 23:03:54.429987782 +0100
+++ /var/tmp/diff_new_pack.BoNX9w/_new  2021-11-22 23:03:54.433987769 +0100
@@ -26,6 +26,7 @@
 Group:          System/Base
 URL:            https://github.com/heftig/rtkit
 Source:         
https://github.com/heftig/rtkit/releases/download/v%{version}/rtkit-%{version}.tar.xz
+Patch0:        harden_rtkit-daemon.service.patch
 BuildRequires:  automake
 BuildRequires:  libcap-devel
 BuildRequires:  pkg-config
@@ -47,6 +48,7 @@
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 autoreconf -fiv

++++++ harden_rtkit-daemon.service.patch ++++++
Index: rtkit-0.13/rtkit-daemon.service.in
===================================================================
--- rtkit-0.13.orig/rtkit-daemon.service.in
+++ rtkit-0.13/rtkit-daemon.service.in
@@ -25,6 +25,18 @@ BusName=org.freedesktop.RealtimeKit1
 NotifyAccess=main
 CapabilityBoundingSet=CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_CHROOT 
CAP_SETGID CAP_SETUID
 PrivateNetwork=yes
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+# end of automatic additions 
 
 [Install]
 WantedBy=multi-user.target

Reply via email to