Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package parsec for openSUSE:Factory checked in at 2021-12-21 18:40:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/parsec (Old) and /work/SRC/openSUSE:Factory/.parsec.new.2520 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "parsec" Tue Dec 21 18:40:51 2021 rev:9 rq:941864 version:0.8.0 Changes: -------- --- /work/SRC/openSUSE:Factory/parsec/parsec.changes 2021-12-09 19:46:26.901157490 +0100 +++ /work/SRC/openSUSE:Factory/.parsec.new.2520/parsec.changes 2021-12-21 18:41:31.385921852 +0100 @@ -7,0 +8,9 @@ +Fri Oct 15 07:01:37 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_parsec.service.patch + Modified: + * parsec.service + * Upstream submission: https://github.com/parallaxsecond/parsec/issues/569 + +------------------------------------------------------------------- New: ---- harden_parsec.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ parsec.spec ++++++ --- /var/tmp/diff_new_pack.HKlb62/_old 2021-12-21 18:41:32.169922556 +0100 +++ /var/tmp/diff_new_pack.HKlb62/_new 2021-12-21 18:41:32.173922559 +0100 @@ -33,6 +33,8 @@ Source5: parsec.conf Source6: system-user-parsec.conf Source10: https://git.trustedfirmware.org/TS/trusted-services.git/snapshot/trusted-services-c1cf912.tar.gz +# PATCH-FIX-UPSTREAM - https://github.com/parallaxsecond/parsec/issues/569 +Patch0: harden_parsec.service.patch BuildRequires: cargo BuildRequires: clang-devel BuildRequires: cmake @@ -75,6 +77,7 @@ # all-authenticators = ["direct-authenticator", "unix-peer-credentials-authenticator", "jwt-svid-authenticator"] # But disable "trusted-service-provider" until we have a trusted-services package echo 'default = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider", "cryptoauthlib-provider", "all-authenticators"]' >> Cargo.toml +%patch0 -p1 %build export PROTOC=%{_bindir}/protoc ++++++ harden_parsec.service.patch ++++++ Index: parsec-0.8.0/systemd-daemon/parsec.service =================================================================== --- parsec-0.8.0.orig/systemd-daemon/parsec.service +++ parsec-0.8.0/systemd-daemon/parsec.service @@ -3,6 +3,17 @@ Description=Parsec Service Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions WorkingDirectory=/home/parsec/ ExecStart=/usr/libexec/parsec/parsec --config /etc/parsec/config.toml ++++++ parsec.service ++++++ --- /var/tmp/diff_new_pack.HKlb62/_old 2021-12-21 18:41:32.269922646 +0100 +++ /var/tmp/diff_new_pack.HKlb62/_new 2021-12-21 18:41:32.273922649 +0100 @@ -3,6 +3,17 @@ Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=notify KillMode=process Restart=on-failure
