Merge pull request #216 from arnaldo2792/cherry-pick-3.1.x

arnaldo2792 · web-flow · commit 8d02857669e6 · 2024-10-24T10:35:48.000-07:00
Revert "add default security settings"
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,10 @@
+# v3.1.1 (2024-10-24)
+
+## OS Changes
+* Revert system-wide configuration to block writeable/executable memory in systemd services ([#215])
+
+[#215]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/215
+
 # v3.1.0 (2024-10-22)
 
 ## OS Changes
diff --git a/Twoliter.toml b/Twoliter.toml
@@ -1,5 +1,5 @@
 schema-version = 1
-release-version = "3.1.0"
+release-version = "3.1.1"
 
 [vendor.bottlerocket]
 registry = "public.ecr.aws/bottlerocket"
diff --git a/packages/release/release.spec b/packages/release/release.spec
@@ -87,7 +87,6 @@ Source1100: systemd-tmpfiles-setup-service-debug.conf
 Source1101: systemd-resolved-service-env.conf
 Source1102: systemd-networkd-service-env.conf
 Source1103: systemd-logind-inhibit-maxdelay.conf
-Source1104: systemd-service-security.conf
 
 # network link rules
 Source1200: 80-release.link
@@ -208,9 +207,6 @@ install -d %{buildroot}%{_cross_unitdir}/systemd-networkd.service.d
 install -p -m 0644 %{S:1102} \
   %{buildroot}%{_cross_unitdir}/systemd-networkd.service.d/00-env.conf
 
-install -d %{buildroot}%{_cross_unitdir}/service.d/
-install -p -m 0644 %{S:1104} %{buildroot}%{_cross_unitdir}/service.d/10-security.conf
-
 # Empty (but packaged) directory. The FIPS packages for kernels will add drop-ins to
 # this directory to arrange for the right modules to be loaded before the check runs.
 install -d %{buildroot}%{_cross_unitdir}/check-fips-modules.service.d
@@ -316,7 +312,6 @@ ln -s preconfigured.target %{buildroot}%{_cross_unitdir}/default.target
 %{_cross_unitdir}/prepare-local-fs.service
 %{_cross_unitdir}/deprecation-warning@.service
 %{_cross_unitdir}/deprecation-warning@.timer
-%{_cross_unitdir}/service.d/10-security.conf
 %dir %{_cross_unitdir}/systemd-resolved.service.d
 %{_cross_unitdir}/systemd-resolved.service.d/00-env.conf
 %dir %{_cross_unitdir}/systemd-networkd.service.d
diff --git a/packages/release/systemd-service-security.conf b/packages/release/systemd-service-security.conf
