From 263e8d9d166f00fa119901607bb180288c65811d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89ric=20Gaspar?=
 <46165813+ericgaspar@users.noreply.github.com>
Date: Tue, 10 Jan 2023 23:38:37 +0100
Subject: [PATCH 1/3] Update systemd.service

---
 conf/systemd.service | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/conf/systemd.service b/conf/systemd.service
index f776321..b3a54a8 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -9,5 +9,39 @@ Group=__APP__
 WorkingDirectory=__FINALPATH__/
 ExecStart=__FINALPATH__/filebrowser -p __PORT__ -c __FINALPATH__/settings.json
 
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectClock=yes
+ProtectHostname=yes
+ProtectProc=invisible
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
 [Install]
 WantedBy=multi-user.target

From 60f482c5ad7f41a7883618812279bc70e1f5c2d3 Mon Sep 17 00:00:00 2001
From: ericgaspar <junk.eg@free.fr>
Date: Sat, 28 Jan 2023 08:23:51 +0100
Subject: [PATCH 2/3] Update manifest.json

---
 manifest.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifest.json b/manifest.json
index 36ac3ad..20e0735 100644
--- a/manifest.json
+++ b/manifest.json
@@ -6,7 +6,7 @@
         "en": "Web File Browser",
         "fr": "Gestionnaire de fichiers"
     },
-    "version": "2.23.0~ynh2",
+    "version": "2.23.0~ynh3",
     "url": "https://filebrowser.org",
     "upstream": {
         "license": "Apache-2.0",

From 0b84a9c67278bc318fe1962d89b4b158415fe023 Mon Sep 17 00:00:00 2001
From: yunohost-bot <yunohost@yunohost.org>
Date: Sat, 28 Jan 2023 07:23:55 +0000
Subject: [PATCH 3/3] Auto-update README

---
 README.md    |  4 ++--
 README_fr.md | 22 +++++++++++-----------
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 5bb02de..5f2e4de 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@ It shall NOT be edited by hand.
 
 # Filebrowser for YunoHost
 
-[![Integration level](https://dash.yunohost.org/integration/filebrowser.svg)](https://dash.yunohost.org/appci/app/filebrowser) ![Working status](https://ci-apps.yunohost.org/ci/badges/filebrowser.status.svg) ![Maintenance status](https://ci-apps.yunohost.org/ci/badges/filebrowser.maintain.svg)  
+[![Integration level](https://dash.yunohost.org/integration/filebrowser.svg)](https://dash.yunohost.org/appci/app/filebrowser) ![Working status](https://ci-apps.yunohost.org/ci/badges/filebrowser.status.svg) ![Maintenance status](https://ci-apps.yunohost.org/ci/badges/filebrowser.maintain.svg)
 [![Install Filebrowser with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=filebrowser)
 
 *[Lire ce readme en français.](./README_fr.md)*
@@ -18,7 +18,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
 filebrowser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit your files. It allows the creation of multiple users and each user can have its own directory. It can be used as a standalone app or as a middleware.
 
 
-**Shipped version:** 2.23.0~ynh2
+**Shipped version:** 2.23.0~ynh3
 
 ## Screenshots
 
diff --git a/README_fr.md b/README_fr.md
index 8855266..befee83 100644
--- a/README_fr.md
+++ b/README_fr.md
@@ -5,24 +5,24 @@ It shall NOT be edited by hand.
 
 # Filebrowser pour YunoHost
 
-[![Niveau d'intégration](https://dash.yunohost.org/integration/filebrowser.svg)](https://dash.yunohost.org/appci/app/filebrowser) ![Statut du fonctionnement](https://ci-apps.yunohost.org/ci/badges/filebrowser.status.svg) ![Statut de maintenance](https://ci-apps.yunohost.org/ci/badges/filebrowser.maintain.svg)  
+[![Niveau d’intégration](https://dash.yunohost.org/integration/filebrowser.svg)](https://dash.yunohost.org/appci/app/filebrowser) ![Statut du fonctionnement](https://ci-apps.yunohost.org/ci/badges/filebrowser.status.svg) ![Statut de maintenance](https://ci-apps.yunohost.org/ci/badges/filebrowser.maintain.svg)
 [![Installer Filebrowser avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=filebrowser)
 
 *[Read this readme in english.](./README.md)*
 
-> *Ce package vous permet d'installer Filebrowser rapidement et simplement sur un serveur YunoHost.
-Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l'installer et en profiter.*
+> *Ce package vous permet d’installer Filebrowser rapidement et simplement sur un serveur YunoHost.
+Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l’installer et en profiter.*
 
-## Vue d'ensemble
+## Vue d’ensemble
 
 filebrowser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit your files. It allows the creation of multiple users and each user can have its own directory. It can be used as a standalone app or as a middleware.
 
 
-**Version incluse :** 2.23.0~ynh2
+**Version incluse :** 2.23.0~ynh3
 
-## Captures d'écran
+## Captures d’écran
 
-![Capture d'écran de Filebrowser](./doc/screenshots/spaces_-M8KDxOujDoPpJyJJ5_i_uploads_git-blob-9390768b0cbb83b1e7da55c0ae13ecd2d8fcb114_2.PNG)
+![Capture d’écran de Filebrowser](./doc/screenshots/spaces_-M8KDxOujDoPpJyJJ5_i_uploads_git-blob-9390768b0cbb83b1e7da55c0ae13ecd2d8fcb114_2.PNG)
 
 ## Avertissements / informations importantes
 
@@ -41,9 +41,9 @@ By default, the root path is set to `/home/yunohost.app/filebrowser`. You can ch
 
 ## Documentations et ressources
 
-* Site officiel de l'app : <https://filebrowser.org>
-* Documentation officielle de l'admin : <https://filebrowser.org/>
-* Dépôt de code officiel de l'app : <https://github.com/filebrowser/filebrowser>
+* Site officiel de l’app : <https://filebrowser.org>
+* Documentation officielle de l’admin : <https://filebrowser.org/>
+* Dépôt de code officiel de l’app : <https://github.com/filebrowser/filebrowser>
 * Documentation YunoHost pour cette app : <https://yunohost.org/app_filebrowser>
 * Signaler un bug : <https://github.com/YunoHost-Apps/filebrowser_ynh/issues>
 
@@ -59,4 +59,4 @@ ou
 sudo yunohost app upgrade filebrowser -u https://github.com/YunoHost-Apps/filebrowser_ynh/tree/testing --debug
 ```
 
-**Plus d'infos sur le packaging d'applications :** <https://yunohost.org/packaging_apps>
+**Plus d’infos sur le packaging d’applications :** <https://yunohost.org/packaging_apps>
\ No newline at end of file