Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package coturn for openSUSE:Factory checked in at 2021-08-31 19:55:30
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/coturn (Old)
and /work/SRC/openSUSE:Factory/.coturn.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "coturn"
Tue Aug 31 19:55:30 2021 rev:8 rq:915145 version:4.5.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/coturn/coturn.changes 2021-01-11 17:17:59.864764853 +0100
+++ /work/SRC/openSUSE:Factory/.coturn.new.1899/coturn.changes 2021-08-31 19:56:25.158016607 +0200
@@ -1,0 +2,9 @@
+Mon Aug 30 11:55:53 UTC 2021 - Johannes Segitz
+
+- Added hardening to systemd service(s). Added patch(es):
+ * harden_coturn.service.patch
+ Modified:
+ * coturn.service
+ * coturn@.service
+
+-------------------------------------------------------------------
New:
----
harden_coturn.service.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ coturn.spec ++++++
--- /var/tmp/diff_new_pack.RYwl1i/_old 2021-08-31 19:56:26.034017704 +0200
+++ /var/tmp/diff_new_pack.RYwl1i/_new 2021-08-31 19:56:26.034017704 +0200
@@ -40,6 +40,7 @@
Source7: README.SUSE
Source8: %{name}-apparmor-usr.bin.turnserver
Source9: %{name}@.service
+Patch0: harden_coturn.service.patch
BuildRequires: fdupes
BuildRequires: firewall-macros
BuildRequires: libevent-devel >= 2.0.0
++++++ coturn.service ++++++
--- /var/tmp/diff_new_pack.RYwl1i/_old 2021-08-31 19:56:26.118017809 +0200
+++ /var/tmp/diff_new_pack.RYwl1i/_new 2021-08-31 19:56:26.118017809 +0200
@@ -44,6 +44,10 @@
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictSUIDSGID=yes
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+RestrictRealtime=true
+# end of automatic additions
SystemCallArchitectures=native
SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete
++++++ coturn@.service ++++++
--- /var/tmp/diff_new_pack.RYwl1i/_old 2021-08-31 19:56:26.162017864 +0200
+++ /var/tmp/diff_new_pack.RYwl1i/_new 2021-08-31 19:56:26.162017864 +0200
@@ -44,6 +44,10 @@
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictSUIDSGID=yes
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+RestrictRealtime=true
+# end of automatic additions
SystemCallArchitectures=native
SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete
++++++ harden_coturn.service.patch ++++++
Index: coturn-4.5.2/examples/etc/coturn.service
===================================================================
--- coturn-4.5.2.orig/examples/etc/coturn.service
+++ coturn-4.5.2/examples/etc/coturn.service
@@ -15,6 +15,18 @@ ExecStart=/usr/bin/turnserver -c /etc/tu
Restart=on-failure
InaccessibleDirectories=/home
PrivateTmp=yes
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
[Install]
WantedBy=multi-user.target