Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package syncthing for openSUSE:Factory checked in at 2021-11-24 23:54:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/syncthing (Old) and /work/SRC/openSUSE:Factory/.syncthing.new.1895 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "syncthing" Wed Nov 24 23:54:33 2021 rev:115 rq:933493 version:1.18.4 Changes: -------- --- /work/SRC/openSUSE:Factory/syncthing/syncthing.changes 2021-11-03 17:26:34.349347283 +0100 +++ /work/SRC/openSUSE:Factory/.syncthing.new.1895/syncthing.changes 2021-11-24 23:55:01.392368109 +0100 @@ -1,0 +2,8 @@ +Wed Nov 24 10:16:04 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_strelaysrv.service.patch + * harden_syncthing-resume.service.patch + * harden_syncthing@.service.patch + +------------------------------------------------------------------- New: ---- harden_strelaysrv.service.patch harden_syncthing-resume.service.patch harden_syncthing@.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ syncthing.spec ++++++ --- /var/tmp/diff_new_pack.DqCSWj/_old 2021-11-24 23:55:02.016366014 +0100 +++ /var/tmp/diff_new_pack.DqCSWj/_new 2021-11-24 23:55:02.016366014 +0100 @@ -26,6 +26,9 @@ Source: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-source-v%{version}.tar.gz Source1: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-source-v%{version}.tar.gz.asc Source2: %{name}.keyring +Patch0: harden_strelaysrv.service.patch +Patch1: harden_syncthing-resume.service.patch +Patch2: harden_syncthing@.service.patch BuildRequires: systemd-rpm-macros BuildRequires: golang(API) >= 1.14 BuildRequires: pkgconfig(systemd) @@ -49,6 +52,9 @@ %prep %setup -q -n %{name} +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build # move source archive which is extracted as "syncthing" to be "src/github.com/syncthing/syncthing" ++++++ harden_strelaysrv.service.patch ++++++ Index: syncthing/cmd/strelaysrv/etc/linux-systemd/strelaysrv.service =================================================================== --- syncthing.orig/cmd/strelaysrv/etc/linux-systemd/strelaysrv.service +++ syncthing/cmd/strelaysrv/etc/linux-systemd/strelaysrv.service @@ -17,6 +17,15 @@ NoNewPrivileges=true PrivateTmp=true PrivateDevices=true ProtectHome=true +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions SystemCallArchitectures=native MemoryDenyWriteExecute=true ++++++ harden_syncthing-resume.service.patch ++++++ Index: syncthing/etc/linux-systemd/system/syncthing-resume.service =================================================================== --- syncthing.orig/etc/linux-systemd/system/syncthing-resume.service +++ syncthing/etc/linux-systemd/system/syncthing-resume.service @@ -4,6 +4,17 @@ Documentation=man:syncthing(1) After=sleep.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=oneshot ExecStart=-/usr/bin/pkill -HUP -x syncthing ++++++ harden_syncthing@.service.patch ++++++ Index: syncthing/etc/linux-systemd/system/syncthing@.service =================================================================== --- syncthing.orig/etc/linux-systemd/system/syncthing@.service +++ syncthing/etc/linux-systemd/system/syncthing@.service @@ -16,6 +16,17 @@ RestartForceExitStatus=3 4 # Hardening ProtectSystem=full PrivateTmp=true +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions SystemCallArchitectures=native MemoryDenyWriteExecute=true NoNewPrivileges=true
