Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package smartmontools for openSUSE:Factory checked in at 2021-11-28 21:29:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/smartmontools (Old) and /work/SRC/openSUSE:Factory/.smartmontools.new.1895 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "smartmontools" Sun Nov 28 21:29:52 2021 rev:84 rq:933647 version:7.2 Changes: -------- --- /work/SRC/openSUSE:Factory/smartmontools/smartmontools.changes 2021-08-27 21:43:26.665938588 +0200 +++ /work/SRC/openSUSE:Factory/.smartmontools.new.1895/smartmontools.changes 2021-11-28 21:29:54.154115800 +0100 @@ -1,0 +2,8 @@ +Wed Nov 17 10:18:54 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_smartd.service.patch + Modified: + * smartd_generate_opts.service + +------------------------------------------------------------------- New: ---- harden_smartd.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ smartmontools.spec ++++++ --- /var/tmp/diff_new_pack.1qfvx1/_old 2021-11-28 21:29:54.910113381 +0100 +++ /var/tmp/diff_new_pack.1qfvx1/_new 2021-11-28 21:29:54.914113368 +0100 @@ -41,6 +41,7 @@ Patch4: smartmontools-suse-default.patch # PATCH-FIX-OPENSUSE smartmontools-var-lock-subsys.patch [email protected] -- Do not use unsupported /var/lock/subsys. Patch10: smartmontools-var-lock-subsys.patch +Patch11: harden_smartd.service.patch Requires(pre): %fillup_prereq # Needed by generate_smartd_opt: Requires(pre): coreutils @@ -76,6 +77,7 @@ cp -a %{SOURCE7} drivedb.h.new %patch4 %patch10 -p1 +%patch11 -p1 # # PATCH-FEATURE-OPENSUSE (sed on smartd.service.in) [email protected] -- Use generated smartd_opts (from SUSE sysconfig file). Systemd smartd.service cannot be smart enough to parse SUSE sysconfig file and generate smartd_opts on fly. And we do not want to launch shell just for it in every boot. sed "s:/usr/local/etc/sysconfig/smartmontools:%{_localstatedir}/lib/smartmontools/smartd_opts:" <smartd.service.in >smartd.service.in.new ++++++ harden_smartd.service.patch ++++++ Index: smartmontools-7.2/smartd.service.in =================================================================== --- smartmontools-7.2.orig/smartd.service.in +++ smartmontools-7.2/smartd.service.in @@ -4,6 +4,16 @@ Documentation=man:smartd(8) man:smartd.c ConditionVirtualization=no [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=notify EnvironmentFile=-/usr/local/etc/sysconfig/smartmontools ExecStart=/usr/local/sbin/smartd -n $smartd_opts ++++++ smartd_generate_opts.service ++++++ --- /var/tmp/diff_new_pack.1qfvx1/_old 2021-11-28 21:29:54.954113240 +0100 +++ /var/tmp/diff_new_pack.1qfvx1/_new 2021-11-28 21:29:54.954113240 +0100 @@ -3,6 +3,16 @@ Wants=local-fs.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=oneshot ExecStart=/usr/lib/smartmontools/generate_smartd_opts
