From f2a3b021817b315986496b4696a67510d9bc5da3 Mon Sep 17 00:00:00 2001 From: lapineige Date: Fri, 26 May 2023 15:29:36 +0200 Subject: [PATCH 1/4] Update systemd.service to improve sandboxing. --- conf/systemd.service | 50 +++++++++++++++++++++++++++++++++----------- 1 file changed, 38 insertions(+), 12 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index c013392..5a36f69 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -22,19 +22,45 @@ WorkingDirectory=__FINALPATH__/live/ ExecStart=__FINALPATH__/live/bin/pleroma start ExecStop=__FINALPATH__/live/bin/pleroma stop -; Some security directives. -; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops. -PrivateTmp=true -; The /home, /root, and /run/user folders can not be accessed by this service anymore. If your Pleroma user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false. -ProtectHome=false -; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. -ProtectSystem=full -; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. -PrivateDevices=false +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html ; Ensures that the service process and all its children can never gain new privileges through execve(). -NoNewPrivileges=true -; Drops the sysadmin capability from the daemon. -CapabilityBoundingSet=~CAP_SYS_ADMIN +NoNewPrivileges=yes +# Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops. +PrivateTmp=yes +# Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +# Mount /usr, /boot, and /etc as read-only for processes invoked by this service. +ProtectSystem=full +# The /home, /root, and /run/user folders can not be accessed by this service anymore. If your Akkoma user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false. +ProtectHome=false +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG [Install] WantedBy=multi-user.target From 5f0e0f74cd7fdff99b8b102a7ddd7b013044635b Mon Sep 17 00:00:00 2001 From: lapineige Date: Fri, 26 May 2023 15:30:36 +0200 Subject: [PATCH 2/4] Update manifest.json --- manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.json b/manifest.json index 1eda781..5d62a2a 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Federated social networking server built on ActivityPub open protocol", "fr": "Serveur de réseautage social fédéré basé sur le protocole ouvert ActivityPub" }, - "version": "3.9.2~ynh1", + "version": "3.9.2~ynh2", "url": "https://akkoma.social/", "upstream": { "license": "AGPL-3.0-only", From aae5ada855a7746e4025cfd5129716962dc9c23e Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Fri, 26 May 2023 13:30:40 +0000 Subject: [PATCH 3/4] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 189d531..24d7171 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Akkoma is a microblogging server software that can federate (= exchange messages with) other servers that support ActivityPub. What that means is that you can host a server for yourself or your friends and stay in control of your online identity, but still exchange messages with people on larger decentrilized and federated network. Akkoma will federate with all servers that implement ActivityPub, like Friendica, GNU Social, Hubzilla, Mastodon, Misskey, Pleroma, Peertube, or Pixelfed. -**Shipped version:** 3.9.2~ynh1 +**Shipped version:** 3.9.2~ynh2 **Demo:** https://otp.akkoma.dev diff --git a/README_fr.md b/README_fr.md index b1df3d6..afe76bf 100644 --- a/README_fr.md +++ b/README_fr.md @@ -19,7 +19,7 @@ Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po Akkoma is a microblogging server software that can federate (= exchange messages with) other servers that support ActivityPub. What that means is that you can host a server for yourself or your friends and stay in control of your online identity, but still exchange messages with people on larger decentrilized and federated network. Akkoma will federate with all servers that implement ActivityPub, like Friendica, GNU Social, Hubzilla, Mastodon, Misskey, Pleroma, Peertube, or Pixelfed. -**Version incluse :** 3.9.2~ynh1 +**Version incluse :** 3.9.2~ynh2 **Démo :** https://otp.akkoma.dev From f348c6c8adfd02f960d5d285eb93d29d6bd92522 Mon Sep 17 00:00:00 2001 From: lapineige Date: Fri, 26 May 2023 16:03:25 +0200 Subject: [PATCH 4/4] simpler setup It's failing https://github.com/YunoHost-Apps/akkoma_ynh/pull/32 --- conf/systemd.service | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index 5a36f69..42c4747 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -50,17 +50,7 @@ LockPersonality=yes SystemCallArchitectures=native SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged -# Denying access to capabilities that should not be relevant for webapps -# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html -CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD -CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE -CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT -CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK -CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE -CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG +CapabilityBoundingSet=~CAP_SYS_ADMIN [Install] WantedBy=multi-user.target