diff --git a/README.md b/README.md index c3b9400..28d0cf3 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ BookStack is an opinionated wiki system that provides a pleasant and simple out - Diagrams.net Integration -**Shipped version:** 22.09~ynh1 +**Shipped version:** 22.09.1~ynh1 **Demo:** https://demo.bookstackapp.com diff --git a/README_fr.md b/README_fr.md index ab87837..2d06dd6 100644 --- a/README_fr.md +++ b/README_fr.md @@ -26,7 +26,7 @@ BookStack is an opinionated wiki system that provides a pleasant and simple out - Multi-Lingual -**Version incluse :** 22.09~ynh1 +**Version incluse :** 22.09.1~ynh1 **Démo :** https://demo.bookstackapp.com diff --git a/conf/app.src b/conf/app.src index 9e40e6d..3fa5ab7 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/BookStackApp/BookStack/archive/refs/tags/v22.09.tar.gz -SOURCE_SUM=4807d646c2327f26d19df398e1f2ecc54d47a967eefbd80127c611fb1b1a9dbb +SOURCE_URL=https://github.com/BookStackApp/BookStack/archive/refs/tags/v22.09.1.tar.gz +SOURCE_SUM=f66e8f0dad102997bb441bfcb8dcb8ab634ed4970623a6fbee4047399b21116a SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true diff --git a/conf/systemd.service b/conf/systemd.service index fdb603b..af151e3 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -7,5 +7,35 @@ Group=__APP__ Restart=always ExecStart=/usr/bin/php__PHPVERSION__ __FINALPATH__/artisan queue:work --sleep=3 --tries=1 --max-time=3600 +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target \ No newline at end of file diff --git a/manifest.json b/manifest.json index 6d513c3..296dd94 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Platform to create documentation/wiki content", "fr": "Plateforme pour créer du contenu de documentation/wiki" }, - "version": "22.09~ynh1", + "version": "22.09.1~ynh1", "url": "https://www.bookstackapp.com/", "upstream": { "license": "MIT", diff --git a/scripts/_common.sh b/scripts/_common.sh index 368e7fa..4f7a623 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -8,7 +8,7 @@ YNH_PHP_VERSION="8.0" pkg_dependencies="php${YNH_PHP_VERSION}-curl php${YNH_PHP_VERSION}-mysql php${YNH_PHP_VERSION}-ldap php${YNH_PHP_VERSION}-mbstring php${YNH_PHP_VERSION}-tidy php${YNH_PHP_VERSION}-xml php${YNH_PHP_VERSION}-zip php${YNH_PHP_VERSION}-gd" -YNH_COMPOSER_VERSION=2.3.5 +YNH_COMPOSER_VERSION=2.4.2 #================================================= # PERSONAL HELPERS