Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package squid for openSUSE:Factory checked
in at 2021-12-08 00:00:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/squid (Old)
and /work/SRC/openSUSE:Factory/.squid.new.31177 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "squid"
Wed Dec 8 00:00:02 2021 rev:95 rq:936249 version:5.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/squid/squid.changes 2021-10-08
00:06:44.605823800 +0200
+++ /work/SRC/openSUSE:Factory/.squid.new.31177/squid.changes 2021-12-08
00:00:27.875593175 +0100
@@ -1,0 +2,8 @@
+Tue Nov 23 15:20:27 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+ * harden_squid.service.patch
+ Modified:
+ * squid.service
+
+-------------------------------------------------------------------
New:
----
harden_squid.service.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ squid.spec ++++++
--- /var/tmp/diff_new_pack.UyJwP1/_old 2021-12-08 00:00:28.567590807 +0100
+++ /var/tmp/diff_new_pack.UyJwP1/_new 2021-12-08 00:00:28.567590807 +0100
@@ -46,6 +46,7 @@
Source17: tmpfilesdir.squid.conf
Patch1: missing_installs.patch
Patch2: old_nettle_compat.patch
+Patch3: harden_squid.service.patch
BuildRequires: cppunit-devel
BuildRequires: expat
BuildRequires: fdupes
@@ -98,6 +99,7 @@
%prep
%setup -q
cp %{SOURCE10} .
+%patch3 -p1
# upstream patches after RELEASE
perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name
"*.pl"`
++++++ harden_squid.service.patch ++++++
Index: squid-5.2/tools/systemd/squid.service
===================================================================
--- squid-5.2.orig/tools/systemd/squid.service
+++ squid-5.2/tools/systemd/squid.service
@@ -11,6 +11,19 @@ Documentation=man:squid(8)
After=network.target network-online.target nss-lookup.target
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=notify
PIDFile=/var/run/squid.pid
ExecStartPre=/usr/sbin/squid --foreground -z
++++++ squid.service ++++++
--- /var/tmp/diff_new_pack.UyJwP1/_old 2021-12-08 00:00:28.711590313 +0100
+++ /var/tmp/diff_new_pack.UyJwP1/_new 2021-12-08 00:00:28.715590300 +0100
@@ -4,6 +4,19 @@
After=network.target named.service nss-lookup.service
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=forking
ExecStartPre=%{_libexecdir}/squid/initialize_cache_if_needed.sh
ExecStart=/usr/sbin/squid -FC
