Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cups for openSUSE:Factory checked in at 2021-12-31 13:44:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cups (Old) and /work/SRC/openSUSE:Factory/.cups.new.1896 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "cups" Fri Dec 31 13:44:18 2021 rev:160 rq:943130 version:2.3.3op2 Changes: -------- --- /work/SRC/openSUSE:Factory/cups/cups.changes 2021-11-28 00:37:26.981427977 +0100 +++ /work/SRC/openSUSE:Factory/.cups.new.1896/cups.changes 2021-12-31 13:44:23.661262823 +0100 @@ -1,0 +2,6 @@ +Fri Oct 15 07:31:10 UTC 2021 - Johannes Segitz <jsegitz@suse.com> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_cups.service.patch + +------------------------------------------------------------------- New: ---- harden_cups.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cups.spec ++++++ --- /var/tmp/diff_new_pack.us2rLb/_old 2021-12-31 13:44:24.341263403 +0100 +++ /var/tmp/diff_new_pack.us2rLb/_new 2021-12-31 13:44:24.341263403 +0100 @@ -85,6 +85,7 @@ Patch104: cups-config-libs.patch # Patch106 Fixes web UI Kerberos authentication (bsc#1175960) Patch106: fix-negotiate-authentication-between-CGIs-and-scheduler.patch +Patch107: harden_cups.service.patch # Build Requirements: BuildRequires: dbus-1-devel BuildRequires: fdupes @@ -309,6 +310,7 @@ %patch104 -b cups-config-libs.orig # Patch106 Fixes web UI Kerberos authentication (bsc#1175960) %patch106 -p1 +%patch107 -p1 %build # Remove ".SILENT" rule for verbose build output ++++++ harden_cups.service.patch ++++++ Index: cups-2.3.3op2/scheduler/cups.service.in =================================================================== --- cups-2.3.3op2.orig/scheduler/cups.service.in +++ cups-2.3.3op2/scheduler/cups.service.in @@ -5,6 +5,17 @@ After=network.target sssd.service ypbind Requires=cups.socket [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions ExecStart=@sbindir@/cupsd -l Type=notify Restart=on-failure