commit thinkfan for openSUSE:Factory

Source-Sync Wed, 29 Dec 2021 12:11:10 -0800

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package thinkfan for openSUSE:Factory 
checked in at 2021-12-29 21:10:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/thinkfan (Old)
 and      /work/SRC/openSUSE:Factory/.thinkfan.new.2520 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "thinkfan"

Wed Dec 29 21:10:46 2021 rev:2 rq:942927 version:1.3.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/thinkfan/thinkfan.changes        2021-11-18 
10:33:39.311897442 +0100
+++ /work/SRC/openSUSE:Factory/.thinkfan.new.2520/thinkfan.changes      
2021-12-29 21:10:59.454287215 +0100
@@ -1,0 +2,8 @@
+Wed Nov 24 15:12:55 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_thinkfan-sleep.service.patch
+  * harden_thinkfan-wakeup.service.patch
+  * harden_thinkfan.service.patch
+
+-------------------------------------------------------------------

New:
----
  harden_thinkfan-sleep.service.patch
  harden_thinkfan-wakeup.service.patch
  harden_thinkfan.service.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ thinkfan.spec ++++++
--- /var/tmp/diff_new_pack.0fTgqZ/_old  2021-12-29 21:11:01.038288517 +0100
+++ /var/tmp/diff_new_pack.0fTgqZ/_new  2021-12-29 21:11:01.042288520 +0100
@@ -29,11 +29,14 @@
 Source0:        %{name}-%{version}.tar.bz2
 Source1:        thinkfan-sysconfig
 Patch1:         thinkfan-systemd.patch
+Patch2:         harden_thinkfan-sleep.service.patch
+Patch3:         harden_thinkfan-wakeup.service.patch
+Patch4:         harden_thinkfan.service.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 BuildRequires:  libatasmart-devel
-BuildRequires:  pkgconfig(systemd)
 BuildRequires:  yaml-cpp-devel
+BuildRequires:  pkgconfig(systemd)
 
 %description
 A simple fan control program. Read temperatures, check them against configured

++++++ harden_thinkfan-sleep.service.patch ++++++
Index: thinkfan-1.3.0/rcscripts/systemd/thinkfan-sleep.service
===================================================================
--- thinkfan-1.3.0.orig/rcscripts/systemd/thinkfan-sleep.service
+++ thinkfan-1.3.0/rcscripts/systemd/thinkfan-sleep.service
@@ -3,6 +3,16 @@ Description=Notify thinkfan of imminent
 Before=sleep.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=oneshot
 ExecStart=/usr/bin/pkill -x -winch thinkfan
 # Hack: Since the signal handler races with the sleep, we need to delay a bit

++++++ harden_thinkfan-wakeup.service.patch ++++++
Index: thinkfan-1.3.0/rcscripts/systemd/thinkfan-wakeup.service
===================================================================
--- thinkfan-1.3.0.orig/rcscripts/systemd/thinkfan-wakeup.service
+++ thinkfan-1.3.0/rcscripts/systemd/thinkfan-wakeup.service
@@ -7,6 +7,16 @@ After=hybrid-sleep.target
 After=hibernate.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=oneshot
 ExecStart=/usr/bin/pkill -x -usr2 thinkfan
 

++++++ harden_thinkfan.service.patch ++++++
Index: thinkfan-1.3.0/rcscripts/systemd/thinkfan.service.cmake
===================================================================
--- thinkfan-1.3.0.orig/rcscripts/systemd/thinkfan.service.cmake
+++ thinkfan-1.3.0/rcscripts/systemd/thinkfan.service.cmake
@@ -4,6 +4,16 @@ After=sysinit.target
 After=systemd-modules-load.service
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+RestrictRealtime=true
+# end of automatic additions 
 EnvironmentFile=-/etc/sysconfig/thinkfan
 Type=forking
 ExecStart=@CMAKE_INSTALL_PREFIX@/sbin/thinkfan $THINKFAN_ARGS

commit thinkfan for openSUSE:Factory

Reply via email to