From b18357e9cacf7d7c33efdac56ad016aa68a4e129 Mon Sep 17 00:00:00 2001 From: Gofannon <17145502+Gofannon@users.noreply.github.com> Date: Wed, 15 Apr 2020 21:55:47 +0200 Subject: [PATCH 1/3] Upgrade to version 10.6.0 --- README.md | 2 +- conf/app.src | 4 ++-- manifest.json | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 5e361bd..0005039 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ If you have constrained bandwidth, you may set an upper limit for the bit rate o In addition to being a streaming media server, Airsonic works very well as a local jukebox. The intuitive web interface, as well as search and index facilities, are optimized for efficient browsing through large media libraries. Airsonic also comes with an integrated Podcast receiver, with many of the same features as you find in iTunes. -**Shipped version:** 10.5.0 +**Shipped version:** 10.6.0 ## Screenshots diff --git a/conf/app.src b/conf/app.src index e3469e7..7cedc14 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/airsonic/airsonic/releases/download/v10.5.0/airsonic.war -SOURCE_SUM=588e5362351406ac7e4eafede4fe3dae7b1e24eac6b6c330f51f413cfa184a5a +SOURCE_URL=https://github.com/airsonic/airsonic/releases/download/v10.6.0/airsonic.war +SOURCE_SUM=90fe5dbf83d71b83a955abbca8765ba144996ca8530648e93d1bb50d70fde827 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=false SOURCE_IN_SUBDIR=false diff --git a/manifest.json b/manifest.json index 31202d3..75242e7 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Stream and manage your music collection", "fr": "Streamez et gérez votre collection de musique" }, - "version": "10.5.0~ynh3", + "version": "10.6.0~ynh1", "url": "http://airsonic.github.io", "license": "GPL-3.0-or-later", "maintainer": { From c4a729568bf0cd1f1f71621bad9a0b457799b107 Mon Sep 17 00:00:00 2001 From: Gofannon <17145502+Gofannon@users.noreply.github.com> Date: Wed, 15 Apr 2020 21:56:19 +0200 Subject: [PATCH 2/3] Update system config to latest version --- conf/systemd.service | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index 333c7d9..e05323a 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -20,5 +20,40 @@ ExecStart=/usr/bin/java \ User=__APP__ Group=__APP__ +# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html +# for details +DevicePolicy=closed +DeviceAllow=char-alsa rw +NoNewPrivileges=yes +PrivateTmp=yes +PrivateUsers=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap +ReadWritePaths=/var/airsonic + +# You can uncomment the following line if you're not using the jukebox +# This will prevent airsonic from accessing any real (physical) devices +#PrivateDevices=yes + +# You can change the following line to `strict` instead of `full` +# if you don't want airsonic to be able to +# write anything on your filesystem outside of AIRSONIC_HOME. +ProtectSystem=full + +# You can uncomment the following line if you don't have any media +# in /home/…. This will prevent airsonic from ever reading/writing anything there. +#ProtectHome=true + +# You can uncomment the following line if you're not using the OpenJDK. +# This will prevent processes from having a memory zone that is both writeable +# and executeable, making hacker's lifes a bit harder. +#MemoryDenyWriteExecute=yes + + [Install] WantedBy=multi-user.target \ No newline at end of file From e7e5fd33f540fcfccce95895956c06cbef9dd124 Mon Sep 17 00:00:00 2001 From: Gofannon <17145502+Gofannon@users.noreply.github.com> Date: Wed, 15 Apr 2020 22:55:24 +0200 Subject: [PATCH 3/3] fix startup of systemd service --- conf/systemd.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/systemd.service b/conf/systemd.service index e05323a..da45966 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -34,7 +34,7 @@ RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap -ReadWritePaths=/var/airsonic +ReadWritePaths=__FINALPATH__ # You can uncomment the following line if you're not using the jukebox # This will prevent airsonic from accessing any real (physical) devices