Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package sensors for openSUSE:Factory checked
in at 2021-11-24 23:54:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sensors (Old)
and /work/SRC/openSUSE:Factory/.sensors.new.1895 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sensors"
Wed Nov 24 23:54:12 2021 rev:108 rq:932990 version:3.6.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/sensors/sensors.changes 2021-08-25
20:56:13.873316920 +0200
+++ /work/SRC/openSUSE:Factory/.sensors.new.1895/sensors.changes
2021-11-24 23:54:21.384502405 +0100
@@ -1,0 +2,8 @@
+Tue Nov 16 15:44:52 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+ * harden_fancontrol.service.patch
+ * harden_lm_sensors.service.patch
+ * harden_sensord.service.patch
+
+-------------------------------------------------------------------
New:
----
harden_fancontrol.service.patch
harden_lm_sensors.service.patch
harden_sensord.service.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sensors.spec ++++++
--- /var/tmp/diff_new_pack.fqey3h/_old 2021-11-24 23:54:22.152499827 +0100
+++ /var/tmp/diff_new_pack.fqey3h/_new 2021-11-24 23:54:22.156499813 +0100
@@ -52,6 +52,9 @@
#PATCH-FIX-UPSTREAM Change PIDFile path from /var/run to /run
Patch12: change-pidfile-path-from-var-run-to-run.patch
Patch13: var-run-deprecated.patch
+Patch14: harden_fancontrol.service.patch
+Patch15: harden_lm_sensors.service.patch
+Patch16: harden_sensord.service.patch
BuildRequires: bison
BuildRequires: flex
BuildRequires: rrdtool-devel
@@ -124,6 +127,9 @@
%patch11 -p1
%patch12 -p1
%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
%build
RPM_OPT_FLAGS="%{optflags}"
++++++ harden_fancontrol.service.patch ++++++
Index: lm-sensors-3-6-0/prog/init/fancontrol.service
===================================================================
--- lm-sensors-3-6-0.orig/prog/init/fancontrol.service
+++ lm-sensors-3-6-0/prog/init/fancontrol.service
@@ -4,6 +4,16 @@ ConditionFileNotEmpty=/etc/fancontrol
After=lm_sensors.service
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=simple
PIDFile=/run/fancontrol.pid
ExecStart=/usr/sbin/fancontrol
++++++ harden_lm_sensors.service.patch ++++++
Index: lm-sensors-3-6-0/prog/init/lm_sensors.service
===================================================================
--- lm-sensors-3-6-0.orig/prog/init/lm_sensors.service
+++ lm-sensors-3-6-0/prog/init/lm_sensors.service
@@ -2,6 +2,16 @@
Description=Initialize hardware monitoring sensors
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
EnvironmentFile=/etc/sysconfig/lm_sensors
Type=oneshot
RemainAfterExit=yes
++++++ harden_sensord.service.patch ++++++
Index: lm-sensors-3-6-0/prog/init/sensord.service
===================================================================
--- lm-sensors-3-6-0.orig/prog/init/sensord.service
+++ lm-sensors-3-6-0/prog/init/sensord.service
@@ -3,6 +3,16 @@ Description=Log hardware monitoring data
After=lm_sensors.service
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
EnvironmentFile=/etc/sysconfig/sensord
Type=forking
PIDFile=/run/sensord.pid
