From fdb740ba263555e0973f974e0c23faa2e626e594 Mon Sep 17 00:00:00 2001
From: lrupp <>
Date: Oct 29 2021 21:08:09 +0000
Subject: Update loki to version 2.2.1+git.1617669398.babea82e / rev 5 via SR 928144
https://build.opensuse.org/request/show/928144
by user lrupp + dimstar_suse
---
diff --git a/.files b/.files
index 78f1a81..57acdc7 100644
Binary files a/.files and b/.files differ
diff --git a/.rev b/.rev
index b2dc51e..1b2a43a 100644
--- a/.rev
+++ b/.rev
@@ -32,4 +32,12 @@
- Fix config fillup
902308
+
+ 6ff62461450302cbcba5a39389e95682
+ 2.2.1+git.1617669398.babea82e
+
+ dimstar_suse
+
+ 928144
+
diff --git a/.servicemark b/.servicemark
index 0f204fc..ac14468 100644
--- a/.servicemark
+++ b/.servicemark
@@ -1 +1 @@
-4d1fb536bde0262a4a39610199d065b4
+e63028dfabedf411546cb45322676480
diff --git a/harden_promtail.service.patch b/harden_promtail.service.patch
new file mode 100644
index 0000000..60aa367
--- /dev/null
+++ b/harden_promtail.service.patch
@@ -0,0 +1,23 @@
+Index: loki-2.2.1+git.1617669398.babea82e/docs/sources/clients/aws/ec2/promtail.service
+===================================================================
+--- loki-2.2.1+git.1617669398.babea82e.orig/docs/sources/clients/aws/ec2/promtail.service
++++ loki-2.2.1+git.1617669398.babea82e/docs/sources/clients/aws/ec2/promtail.service
+@@ -1,6 +1,18 @@
+ [Unit]
+ Description=Promtail
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions
+ User=root
+ WorkingDirectory=/opt/promtail/
+ ExecStartPre=/bin/sleep 30
diff --git a/loki.changes b/loki.changes
index 86ca2c1..2706a02 100644
--- a/loki.changes
+++ b/loki.changes
@@ -1,4 +1,13 @@
-------------------------------------------------------------------
+Wed Oct 6 06:11:13 UTC 2021 - Johannes Segitz
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+ * harden_promtail.service.patch
+ Modified:
+ * loki.service
+ * promtail.service
+
+-------------------------------------------------------------------
Fri Jun 25 08:58:58 UTC 2021 - Stefano Torresi
- Fix config fillup
diff --git a/loki.service b/loki.service
index a46a978..58c2c2e 100644
--- a/loki.service
+++ b/loki.service
@@ -3,6 +3,18 @@ Description=Loki is a horizontally-scalable, highly-available, multi-tenant log
Documentation=https://github.com/grafana/loki
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Restart=always
User=loki
EnvironmentFile=-/etc/sysconfig/loki
diff --git a/loki.spec b/loki.spec
index a6a469c..9a07c01 100644
--- a/loki.spec
+++ b/loki.spec
@@ -28,6 +28,7 @@ Source1: loki.service
Source2: promtail.service
Source3: sysconfig.loki
Source4: sysconfig.promtail
+Patch0: harden_promtail.service.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: golang-packaging
BuildRequires: systemd-devel
@@ -57,6 +58,7 @@ This package contains the Promtail client.
%prep
%setup -q %{name}-%{version}
+%patch0 -p1
%build
%define buildpkg github.com/grafana/loki/pkg/build
diff --git a/promtail.service b/promtail.service
index f0cb7d2..f17b98b 100644
--- a/promtail.service
+++ b/promtail.service
@@ -3,6 +3,18 @@ Description=promtail is the agent responsible for gathering logs and sending the
Documentation=https://github.com/grafana/loki/blob/master/docs/promtail.md
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Restart=always
User=loki
EnvironmentFile=-/etc/sysconfig/promtail