Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package robinhood for openSUSE:Factory checked in at 2021-11-22 23:04:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/robinhood (Old) and /work/SRC/openSUSE:Factory/.robinhood.new.1895 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "robinhood" Mon Nov 22 23:04:12 2021 rev:10 rq:932916 version:3.1.6 Changes: -------- --- /work/SRC/openSUSE:Factory/robinhood/robinhood.changes 2020-10-23 12:24:49.412903954 +0200 +++ /work/SRC/openSUSE:Factory/.robinhood.new.1895/robinhood.changes 2021-11-22 23:04:57.717775416 +0100 @@ -1,0 +2,7 @@ +Mon Nov 15 16:09:14 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_robinhood.service.patch + * [email protected] + +------------------------------------------------------------------- New: ---- harden_robinhood.service.patch [email protected] ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ robinhood.spec ++++++ --- /var/tmp/diff_new_pack.PY5u89/_old 2021-11-22 23:04:58.157773939 +0100 +++ /var/tmp/diff_new_pack.PY5u89/_new 2021-11-22 23:04:58.157773939 +0100 @@ -1,7 +1,7 @@ # # spec file for package robinhood # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -37,6 +37,8 @@ Patch2: rbh-config.patch Patch3: avoid-version.patch Patch4: make-test_confparam-depend-on-lustre.patch +Patch5: harden_robinhood.service.patch +Patch6: [email protected] BuildRequires: automake BuildRequires: fdupes BuildRequires: glib2-devel @@ -100,7 +102,6 @@ Tests and examples for the robinhood policy engine. %prep - %setup -q -n %{name}-%{githash} %patch1 # the macro {installdir_www} is not known in the patch @@ -108,6 +109,8 @@ %patch2 %patch3 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 # remove spurious executeable bits find ./doc/templates -type f -executable -exec chmod 644 {} + ++++++ harden_robinhood.service.patch ++++++ Index: robinhood-1ca39f131bb35f120f458faf4e70779d5621e8cd/scripts/robinhood.service.in =================================================================== --- robinhood-1ca39f131bb35f120f458faf4e70779d5621e8cd.orig/scripts/robinhood.service.in +++ robinhood-1ca39f131bb35f120f458faf4e70779d5621e8cd/scripts/robinhood.service.in @@ -3,6 +3,15 @@ Description=Robinhood server #only works if config file is unique [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=simple KillMode=mixed EnvironmentFile=-@CONFDIR@/sysconfig/robinhood ++++++ [email protected] ++++++ Index: robinhood-1ca39f131bb35f120f458faf4e70779d5621e8cd/scripts/[email protected] =================================================================== --- robinhood-1ca39f131bb35f120f458faf4e70779d5621e8cd.orig/scripts/[email protected] +++ robinhood-1ca39f131bb35f120f458faf4e70779d5621e8cd/scripts/[email protected] @@ -2,6 +2,15 @@ Description=Robinhood server for %I [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=simple KillMode=mixed EnvironmentFile=-@CONFDIR@/sysconfig/robinhood
