From ddd69d35807ef0ea668f572a4b032c529b3ff6ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A9rard=20Collin?= Date: Wed, 1 Mar 2023 17:34:54 +0100 Subject: [PATCH] Fix upgrade of old stuff and security of chrome --- conf/systemd.service | 3 ++- scripts/upgrade | 6 +++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index b26c0df..f2c1d98 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -32,7 +32,8 @@ ProtectKernelModules=yes ProtectKernelTunables=yes LockPersonality=yes SystemCallArchitectures=native -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged +# We need to allow priviledged to enable chromium access to gpu +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html diff --git a/scripts/upgrade b/scripts/upgrade index 14e7d60..2d95ecb 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -104,7 +104,11 @@ complete_install=false # Check if we need to clean up old bad installs if [ -f "$final_path/package.json" ]; then complete_install=true - ynh_secure_remove --file="$final_path/*" + ynh_secure_remove --file="$final_path" + mkdir "$final_path" + chmod 750 "$final_path" + chmod -R o-rwx "$final_path" + chown -R $app:$app "$final_path" fi #=================================================