From 42ffdd3b114598f0eac669e682d679767b26a397 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Thu, 6 Jan 2022 23:49:34 +0100 Subject: [PATCH 1/9] Upgrade to 1.2.1~ynh1 --- README.md | 2 +- README_fr.md | 2 +- check_process | 4 ++++ conf/api.src | 4 ++-- conf/front.src | 4 ++-- manifest.json | 2 +- 6 files changed, 11 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 9f456d5..271962a 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Funkwhale is a community-driven project that lets you listen and share music and audio within a decentralized, open network. -**Shipped version:** 1.1.4~ynh2 +**Shipped version:** 1.2.1~ynh1 **Demo:** https://demo.funkwhale.audio diff --git a/README_fr.md b/README_fr.md index ef076b5..4ba6335 100644 --- a/README_fr.md +++ b/README_fr.md @@ -13,7 +13,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Funkwhale est un projet communautaire qui vous permet d'écouter et de partager de la musique et de l'audio au sein d'un réseau ouvert et décentralisé. -**Version incluse :** 1.1.4~ynh2 +**Version incluse :** 1.2.1~ynh1 **Démo :** https://demo.funkwhale.audio diff --git a/check_process b/check_process index 77673c0..90b44dc 100644 --- a/check_process +++ b/check_process @@ -19,6 +19,8 @@ upgrade=1 from_commit=fa9587f61e4bb4f9db8667b1c6701ede37ac8e91 # 1.1.2~ynh1 upgrade=1 from_commit=74255c1c278562eb174fb13ce538d4754f01186c + # 1.1.4~ynh2 + upgrade=1 from_commit=313335d5aa851a497fa92cd7ac264f989e1052d9 backup_restore=1 multi_instance=1 port_already_use=0 @@ -36,3 +38,5 @@ Notification=all name=1.1.1~ynh1 ; commit=74255c1c278562eb174fb13ce538d4754f01186c name=1.1.2~ynh1 + ; commit=313335d5aa851a497fa92cd7ac264f989e1052d9 + name=1.1.4~ynh2 diff --git a/conf/api.src b/conf/api.src index e5c102a..b5bc3e1 100644 --- a/conf/api.src +++ b/conf/api.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/1.1.4/download?job=build_api -SOURCE_SUM=c3ea7013ffcbeb4e2832cc596cdccb2e2034b4250a25130aa4dc0d648fe03463 +SOURCE_URL=https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/1.2.1/download?job=build_api +SOURCE_SUM=d370dd548102be5477a8d6632ea58e6de42d18bce58078e007c471cb8bb4753f SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=true diff --git a/conf/front.src b/conf/front.src index 6d3c19f..a3bb332 100644 --- a/conf/front.src +++ b/conf/front.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://dev.funkwhale.audio/funkwhale/funkwhale/builds/artifacts/1.1.4/download?job=build_front -SOURCE_SUM=83e11273159dd617d16483168300768583b14ffb93cbceec5c4dccdfe2d3fb44 +SOURCE_URL=https://dev.funkwhale.audio/funkwhale/funkwhale/builds/artifacts/1.2.1/download?job=build_front +SOURCE_SUM=3725d2aa8563dd8989042a1ee4a57cac2d396b5ad20820815775ae724aa8ff0c SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=true diff --git a/manifest.json b/manifest.json index a31b8df..338ae1c 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Modern, convivial and free music server", "fr": "Serveur de musique moderne, convivial et gratuit" }, - "version": "1.1.4~ynh2", + "version": "1.2.1~ynh1", "url": "https://funkwhale.audio", "upstream": { "license": "AGPL-3.0-or-later", From 5e6bcfa39abda2429bd6bcea926e8a1b2937da93 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Fri, 7 Jan 2022 00:09:47 +0100 Subject: [PATCH 2/9] Upgrade env for 1.2.1 --- conf/env.prod | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/conf/env.prod b/conf/env.prod index 87a3eb9..2675520 100644 --- a/conf/env.prod +++ b/conf/env.prod @@ -5,7 +5,7 @@ # following variables: # - DJANGO_SECRET_KEY # - FUNKWHALE_HOSTNAME -# - EMAIL_CONFIG and DEFAULT_FROM_EMAIL if you plan to send emails) +# - EMAIL_CONFIG and DEFAULT_FROM_EMAIL if you plan to send e-mails) # On non-docker setup **only**, you'll also have to tweak/uncomment those variables: # - DATABASE_URL # - CACHE_URL @@ -43,21 +43,30 @@ FUNKWHALE_WEB_WORKERS=6 FUNKWHALE_HOSTNAME=__DOMAIN__ FUNKWHALE_PROTOCOL=https -# Configure email sending using this variale -# By default, funkwhale will output emails sent to stdout +# Log level (debug, info, warning, error, critical) +LOGLEVEL=error + +# Configure e-mail sending using this variale +# By default, funkwhale will output e-mails sent to stdout # here are a few examples for this setting -# EMAIL_CONFIG=consolemail:// # output emails to console (the default) -# EMAIL_CONFIG=dummymail:// # disable email sending completely +# EMAIL_CONFIG=consolemail:// # output e-mails to console (the default) +# EMAIL_CONFIG=dummymail:// # disable e-mail sending completely # On a production instance, you'll usually want to use an external SMTP server: +# If `user` or `password` contain special characters (eg. +# `noreply@youremail.host` as `user`), be sure to urlencode them, using +# for example the command: +# `python3 -c 'import urllib.parse; print(urllib.parse.quote_plus +# ("noreply@youremail.host"))'` +# (returns `noreply%40youremail.host`) # EMAIL_CONFIG=smtp://user@:password@youremail.host:25 # EMAIL_CONFIG=smtp+ssl://user@:password@youremail.host:465 # EMAIL_CONFIG=smtp+tls://user@:password@youremail.host:587 -# Make email verification mandatory before using the service +# Make e-mail verification mandatory before using the service # Doesn't apply to admins. # ACCOUNT_EMAIL_VERIFICATION_ENFORCE=false -# The email address to use to send system emails. +# The e-mail address to use to send system e-mails. # DEFAULT_FROM_EMAIL=noreply@yourdomain # Depending on the reverse proxy used in front of your funkwhale instance, @@ -119,13 +128,6 @@ DJANGO_SECRET_KEY=__KEY__ # want to # DJANGO_ADMIN_URL=^api/admin/ -# Sentry/Raven error reporting (server side) -# Enable Raven if you want to help improve funkwhale by -# automatically sending error reports our Sentry instance. -# This will help us detect and correct bugs -RAVEN_ENABLED=false -RAVEN_DSN=https://44332e9fdd3d42879c7d35bf8562c6a4:0062dc16a22b41679cd5765e5342f716@sentry.eliotberriot.com/5 - # In-place import settings # You can safely leave those settings uncommented if you don't plan to use # in place imports. @@ -178,7 +180,7 @@ NGINX_MAX_BODY_SIZE=100M # AWS_S3_ENDPOINT_URL= # If you want to serve media directly from your S3 bucket rather than through a proxy, -# set this to true +# set this to false # PROXY_MEDIA=false # If you are using Amazon S3 to serve media directly, you will need to specify your region From 88fea978c76776141baebe6de726d4850acf7a85 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Fri, 7 Jan 2022 00:13:08 +0100 Subject: [PATCH 3/9] Apply Last example_ynh --- conf/nginx.conf | 5 ----- manifest.json | 4 ++-- scripts/change_url | 14 +++++++------- scripts/install | 12 +++--------- scripts/remove | 28 ++++++++++++++++++++-------- scripts/restore | 7 +++---- scripts/upgrade | 4 +--- 7 files changed, 36 insertions(+), 38 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 3cc4058..c3161d5 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -2,11 +2,6 @@ root __FINALPATH__/front/dist; location / { - # Force usage of https - if ($scheme = http) { - rewrite ^ https://$server_name$request_uri? permanent; - } - # global proxy conf proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; diff --git a/manifest.json b/manifest.json index 338ae1c..9f8b4c6 100644 --- a/manifest.json +++ b/manifest.json @@ -14,7 +14,7 @@ "demo": "https://demo.funkwhale.audio", "admindoc": "https://docs.funkwhale.audio/admin/index.html", "userdoc": "https://docs.funkwhale.audio/users/index.html", - "code": "https://dev.funkwhale.audio/funkwhale" + "code": "https://dev.funkwhale.audio/funkwhale/funkwhale" }, "license": "AGPL-3.0-or-later", "maintainer": { @@ -26,7 +26,7 @@ "email": "jean-baptiste@holcroft.fr" }], "requirements": { - "yunohost": ">= 4.2.0" + "yunohost": ">= 4.3.0" }, "multi_instance": true, "services": [ diff --git a/scripts/change_url b/scripts/change_url index f9e6de3..f1d5769 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -24,7 +24,7 @@ app=$YNH_APP_INSTANCE_NAME #================================================= # LOAD SETTINGS #================================================= -ynh_script_progression --message="Loading installation settings..." --weight=1 +ynh_script_progression --message="Loading installation settings..." # Needed for helper "ynh_add_nginx_config" final_path=$(ynh_app_setting_get --app=$app --key=final_path) @@ -34,7 +34,7 @@ redis_db=$(ynh_app_setting_get --app=$app --key=redis_db) port=$(ynh_app_setting_get --app=$app --key=port) db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_user=$db_name -db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd) +db_pwd=$(ynh_app_setting_get --app=$app --key=db_pwd) datadir=$(ynh_app_setting_get --app=$app --key=datadir) redis_db=$(ynh_app_setting_get --app=$app --key=redis_db) key=$(ynh_app_setting_get --app=$app --key=key) @@ -42,7 +42,7 @@ key=$(ynh_app_setting_get --app=$app --key=key) #================================================= # BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP #================================================= -ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." --weight=1 +ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." # Backup the current version of the app ynh_backup_before_upgrade @@ -77,7 +77,7 @@ fi #================================================= # STOP SYSTEMD SERVICE #================================================= -ynh_script_progression --message="Stopping a systemd service..." --weight=1 +ynh_script_progression --message="Stopping a systemd service..." ynh_systemd_action --service_name="$app-beat" --action=stop --log_path="/var/log/$app/$app.log" ynh_systemd_action --service_name="$app-server" --action=stop --log_path="/var/log/$app/$app.log" @@ -86,7 +86,7 @@ ynh_systemd_action --service_name="$app-worker" --action=stop --log_path="/var/l #================================================= # MODIFY URL IN NGINX CONF #================================================= -ynh_script_progression --message="Updating NGINX web server configuration..." --weight=1 +ynh_script_progression --message="Updating NGINX web server configuration..." nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf @@ -147,7 +147,7 @@ ynh_add_fail2ban_config --logpath="/var/log/nginx/$new_domain-access.log" --fail #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading NGINX web server..." --weight=1 +ynh_script_progression --message="Reloading NGINX web server..." ynh_systemd_action --service_name=nginx --action=reload @@ -155,4 +155,4 @@ ynh_systemd_action --service_name=nginx --action=reload # END OF SCRIPT #================================================= -ynh_script_progression --message="Change of URL completed for $app" --last +ynh_script_progression --message="Change of URL completed for $app" diff --git a/scripts/install b/scripts/install index 8048444..08105df 100644 --- a/scripts/install +++ b/scripts/install @@ -40,8 +40,6 @@ ynh_script_progression --message="Validating installation parameters..." final_path=/var/www/$app test ! -e "$final_path" || ynh_die --message="This path already contains a folder" -datadir="/home/yunohost.app/${app}/data" - # Register (book) web path ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url @@ -105,9 +103,7 @@ ynh_app_setting_set --app=$app --key=final_path --value=$final_path ynh_setup_source --dest_dir="$final_path/api" --source_id="api" ynh_setup_source --dest_dir="$final_path/front" --source_id="front" -pushd $final_path - mkdir -p config -popd +mkdir -p $final_path/config chmod 750 "$final_path" chmod -R o-rwx "$final_path" @@ -128,13 +124,11 @@ ynh_add_nginx_config #================================================= ynh_script_progression --message="Creating a data directory..." +datadir=/home/yunohost.app/$app/data ynh_app_setting_set --app=$app --key=datadir --value=$datadir mkdir -p $datadir - -pushd $datadir - mkdir -p static media music -popd +mkdir -p $datadir/{static,media,music} chmod 750 "$datadir" chmod -R o-rwx "$datadir" diff --git a/scripts/remove b/scripts/remove index 86dcec7..071eac5 100644 --- a/scripts/remove +++ b/scripts/remove @@ -21,6 +21,7 @@ port=$(ynh_app_setting_get --app=$app --key=port) db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_user=$db_name final_path=$(ynh_app_setting_get --app=$app --key=final_path) +datadir=$(ynh_app_setting_get --app=$app --key=datadir) redis_db=$(ynh_app_setting_get --app=$app --key=redis_db) #================================================= @@ -72,14 +73,6 @@ ynh_script_progression --message="Removing the PostgreSQL database..." # Remove a database if it exists, along with the associated user ynh_psql_remove_db --db_user=$db_user --db_name=$db_name -#================================================= -# REMOVE DEPENDENCIES -#================================================= -ynh_script_progression --message="Removing dependencies..." - -# Remove metapackage and its dependencies -ynh_remove_app_dependencies - #================================================= # REMOVE APP MAIN DIR #================================================= @@ -88,6 +81,17 @@ ynh_script_progression --message="Removing app main directory..." # Remove the app directory securely ynh_secure_remove --file="$final_path" +#================================================= +# REMOVE DATA DIR +#================================================= + +# Remove the data directory if --purge option is used +if [ "${YNH_APP_PURGE:-0}" -eq 1 ] +then + ynh_script_progression --message="Removing app data directory..." + ynh_secure_remove --file="$datadir" +fi + #================================================= # REMOVE NGINX CONFIGURATION #================================================= @@ -96,6 +100,14 @@ ynh_script_progression --message="Removing NGINX web server configuration..." # Remove the dedicated NGINX config ynh_remove_nginx_config +#================================================= +# REMOVE DEPENDENCIES +#================================================= +ynh_script_progression --message="Removing dependencies..." + +# Remove metapackage and its dependencies +ynh_remove_app_dependencies + #================================================= # REMOVE FAIL2BAN CONFIGURATION #================================================= diff --git a/scripts/restore b/scripts/restore index 37cef64..1e279a5 100644 --- a/scripts/restore +++ b/scripts/restore @@ -39,7 +39,8 @@ datadir=$(ynh_app_setting_get --app=$app --key=datadir) #================================================= ynh_script_progression --message="Validating restoration parameters..." -test ! -d $final_path || ynh_die --message="There is already a directory: $final_path " +test ! -d $final_path \ + || ynh_die --message="There is already a directory: $final_path " #================================================= # STANDARD RESTORATION STEPS @@ -78,9 +79,7 @@ ynh_restore_file --origin_path="$datadir" --not_mandatory mkdir -p $datadir -pushd $datadir - mkdir -p static media music -popd +mkdir -p $datadir/{static,media,music} chmod 750 "$datadir" chmod -R o-rwx "$datadir" diff --git a/scripts/upgrade b/scripts/upgrade index 891ef85..fd412c9 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -97,9 +97,7 @@ if [ -z "$datadir" ]; then ynh_script_progression --message="Moving datas to $datadir..." mkdir -p $datadir - pushd $datadir - mkdir -p static media music - popd + mkdir -p $datadir/{static,media,music} chmod 750 "$datadir" chmod -R o-rwx "$datadir" From 0bbf93073487ead0f45b1209ec2930ad9265b38c Mon Sep 17 00:00:00 2001 From: yalh76 Date: Fri, 7 Jan 2022 00:15:33 +0100 Subject: [PATCH 4/9] Fix path traversal issues --- conf/nginx.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index c3161d5..0b1cdf6 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -105,12 +105,12 @@ location /media/ { alias __DATADIR__/media/; } -location /_protected/media { +location /_protected/media/ { # this is an internal location that is used to serve # audio files once correct permission / authentication # has been checked on API side internal; - alias __DATADIR__/media; + alias __DATADIR__/media/; } # Comment the previous location and uncomment this one if you're storing @@ -122,13 +122,13 @@ location /_protected/media { # proxy_pass $1; # } -location /_protected/music { +location /_protected/music/ { # this is an internal location that is used to serve # audio files once correct permission / authentication # has been checked on API side # Set this to the same value as your MUSIC_DIRECTORY_PATH setting internal; - alias __DATADIR__/music; + alias __DATADIR__/music/; } location /staticfiles/ { From 9022b57c2e3bcb5d9d6a27de3c012c8b0717a57c Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Thu, 6 Jan 2022 23:15:39 +0000 Subject: [PATCH 5/9] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 271962a..1e2f7cd 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,7 @@ The files can then be added to your library from the *uploading* tab in a music * Official app website: https://funkwhale.audio/ * Official user documentation: https://docs.funkwhale.audio/users/index.html * Official admin documentation: https://docs.funkwhale.audio/admin/index.html -* Upstream app code repository: https://dev.funkwhale.audio/funkwhale +* Upstream app code repository: https://dev.funkwhale.audio/funkwhale/funkwhale * YunoHost documentation for this app: https://yunohost.org/app_funkwhale * Report a bug: https://github.com/YunoHost-Apps/funkwhale_ynh/issues diff --git a/README_fr.md b/README_fr.md index 4ba6335..f4a7a04 100644 --- a/README_fr.md +++ b/README_fr.md @@ -39,7 +39,7 @@ Les fichiers peuvent ensuite être ajoutés à votre bibliothèque à partir de * Site officiel de l'app : https://funkwhale.audio/ * Documentation officielle utilisateur : https://docs.funkwhale.audio/users/index.html * Documentation officielle de l'admin : https://docs.funkwhale.audio/admin/index.html -* Dépôt de code officiel de l'app : https://dev.funkwhale.audio/funkwhale +* Dépôt de code officiel de l'app : https://dev.funkwhale.audio/funkwhale/funkwhale * Documentation YunoHost pour cette app : https://yunohost.org/app_funkwhale * Signaler un bug : https://github.com/YunoHost-Apps/funkwhale_ynh/issues From 57f846542d6d2838f89f094448183a53ecd5d3c9 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Fri, 7 Jan 2022 00:16:10 +0100 Subject: [PATCH 6/9] Hardening systemd --- conf/funkwhale-beat.service | 30 ++++++++++++++++++++++++++++++ conf/funkwhale-server.service | 30 ++++++++++++++++++++++++++++++ conf/funkwhale-worker.service | 30 ++++++++++++++++++++++++++++++ 3 files changed, 90 insertions(+) diff --git a/conf/funkwhale-beat.service b/conf/funkwhale-beat.service index 2efd191..bf0eb33 100644 --- a/conf/funkwhale-beat.service +++ b/conf/funkwhale-beat.service @@ -10,5 +10,35 @@ WorkingDirectory=__FINALPATH__/api EnvironmentFile=__FINALPATH__/config/.env ExecStart=__FINALPATH__/virtualenv/bin/celery -A funkwhale_api.taskapp beat -l INFO +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/conf/funkwhale-server.service b/conf/funkwhale-server.service index 59d5dd2..aac8b60 100644 --- a/conf/funkwhale-server.service +++ b/conf/funkwhale-server.service @@ -10,5 +10,35 @@ WorkingDirectory=__FINALPATH__/api EnvironmentFile=__FINALPATH__/config/.env ExecStart=__FINALPATH__/virtualenv/bin/gunicorn config.asgi:application -w ${FUNKWHALE_WEB_WORKERS} -k uvicorn.workers.UvicornWorker -b ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT} +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/conf/funkwhale-worker.service b/conf/funkwhale-worker.service index ca8bd26..9d07718 100644 --- a/conf/funkwhale-worker.service +++ b/conf/funkwhale-worker.service @@ -10,5 +10,35 @@ WorkingDirectory=__FINALPATH__/api EnvironmentFile=__FINALPATH__/config/.env ExecStart=__FINALPATH__/virtualenv/bin/celery -A funkwhale_api.taskapp worker -l INFO --concurrency=0 +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target From dd9914eff7ec8e5ea5eb3633e051b521c239a0c1 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Fri, 7 Jan 2022 03:15:43 +0100 Subject: [PATCH 7/9] Fix datadir --- scripts/install | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/install b/scripts/install index 08105df..73e20e9 100644 --- a/scripts/install +++ b/scripts/install @@ -40,6 +40,8 @@ ynh_script_progression --message="Validating installation parameters..." final_path=/var/www/$app test ! -e "$final_path" || ynh_die --message="This path already contains a folder" +datadir=/home/yunohost.app/$app/data + # Register (book) web path ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url @@ -124,7 +126,6 @@ ynh_add_nginx_config #================================================= ynh_script_progression --message="Creating a data directory..." -datadir=/home/yunohost.app/$app/data ynh_app_setting_set --app=$app --key=datadir --value=$datadir mkdir -p $datadir From 978a4d73f8da9237c28b91d52ea06532894ccfb0 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Fri, 7 Jan 2022 20:02:59 +0100 Subject: [PATCH 8/9] ynh_exec_warn_less --- scripts/install | 10 +++++----- scripts/upgrade | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/scripts/install b/scripts/install index 73e20e9..2cd9ba1 100644 --- a/scripts/install +++ b/scripts/install @@ -173,8 +173,8 @@ pushd $final_path source $final_path/virtualenv/bin/activate pip install --upgrade pip pip install --upgrade setuptools - pip install wheel - pip install -r api/requirements.txt + ynh_exec_warn_less pip install wheel + ynh_exec_warn_less pip install -r api/requirements.txt popd #================================================= @@ -187,10 +187,10 @@ pushd $final_path # needed for enabling the 'unaccent' extension ynh_psql_execute_as_root --sql="ALTER USER $db_user WITH SUPERUSER;" --database="$db_name" - python api/manage.py migrate + ynh_exec_warn_less python api/manage.py migrate ynh_psql_execute_as_root --sql="ALTER USER $db_user WITH NOSUPERUSER;" --database="$db_name" - echo "from django.contrib.auth import get_user_model; User = get_user_model(); User.objects.create_superuser('$admin', '$admin_mail', 'funkwhale') " | python api/manage.py shell - echo "yes" | python api/manage.py collectstatic + echo "from django.contrib.auth import get_user_model; User = get_user_model(); User.objects.create_superuser('$admin', '$admin_mail', 'funkwhale') " | ynh_exec_warn_less python api/manage.py shell + echo "yes" | ynh_exec_warn_less python api/manage.py collectstatic popd chmod 750 "$final_path" diff --git a/scripts/upgrade b/scripts/upgrade index fd412c9..02a3bc8 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -196,8 +196,8 @@ pushd $final_path source $final_path/virtualenv/bin/activate pip install --upgrade pip pip install --upgrade setuptools - pip install wheel - pip install -r api/requirements.txt + ynh_exec_warn_less pip install wheel + ynh_exec_warn_less pip install -r api/requirements.txt popd #================================================= @@ -220,10 +220,10 @@ pushd $final_path # needed for enabling the 'unaccent' extension ynh_psql_execute_as_root --sql="ALTER USER $db_user WITH SUPERUSER;" --database="$db_name" - python api/manage.py migrate + ynh_exec_warn_less python api/manage.py migrate ynh_psql_execute_as_root --sql="ALTER USER $db_user WITH NOSUPERUSER;" --database="$db_name" - echo "yes" | python api/manage.py collectstatic --clear --noinput + echo "yes" | ynh_exec_warn_less python api/manage.py collectstatic --clear --noinput # https://code.eliotberriot.com/funkwhale/funkwhale/tags/0.16 # users-now-have-an-activitypub-actor-manual-action-required # python api/manage.py script create_actors --no-input @@ -241,7 +241,7 @@ pushd $final_path # higher quality images # https://docs.funkwhale.audio/changelog.html#increased-quality-of-jpeg-thumbnails-manual-action-required ynh_secure_remove --file="$final_path/media/__sized__" - python api/manage.py fw media generate-thumbnails + ynh_exec_warn_less python api/manage.py fw media generate-thumbnails popd chmod 750 "$final_path" From 43b40c6a594cfc1358d312e591900011c6726d48 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Fri, 7 Jan 2022 20:04:02 +0100 Subject: [PATCH 9/9] Remove service hardening --- conf/funkwhale-beat.service | 30 ------------------------------ conf/funkwhale-server.service | 30 ------------------------------ conf/funkwhale-worker.service | 30 ------------------------------ 3 files changed, 90 deletions(-) diff --git a/conf/funkwhale-beat.service b/conf/funkwhale-beat.service index bf0eb33..2efd191 100644 --- a/conf/funkwhale-beat.service +++ b/conf/funkwhale-beat.service @@ -10,35 +10,5 @@ WorkingDirectory=__FINALPATH__/api EnvironmentFile=__FINALPATH__/config/.env ExecStart=__FINALPATH__/virtualenv/bin/celery -A funkwhale_api.taskapp beat -l INFO -# Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these -# .. but this should be a good baseline -# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed -ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap - -# Denying access to capabilities that should not be relevant for webapps -# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html -CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD -CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE -CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT -CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK -CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE -CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG - [Install] WantedBy=multi-user.target diff --git a/conf/funkwhale-server.service b/conf/funkwhale-server.service index aac8b60..59d5dd2 100644 --- a/conf/funkwhale-server.service +++ b/conf/funkwhale-server.service @@ -10,35 +10,5 @@ WorkingDirectory=__FINALPATH__/api EnvironmentFile=__FINALPATH__/config/.env ExecStart=__FINALPATH__/virtualenv/bin/gunicorn config.asgi:application -w ${FUNKWHALE_WEB_WORKERS} -k uvicorn.workers.UvicornWorker -b ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT} -# Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these -# .. but this should be a good baseline -# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed -ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap - -# Denying access to capabilities that should not be relevant for webapps -# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html -CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD -CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE -CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT -CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK -CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE -CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG - [Install] WantedBy=multi-user.target diff --git a/conf/funkwhale-worker.service b/conf/funkwhale-worker.service index 9d07718..ca8bd26 100644 --- a/conf/funkwhale-worker.service +++ b/conf/funkwhale-worker.service @@ -10,35 +10,5 @@ WorkingDirectory=__FINALPATH__/api EnvironmentFile=__FINALPATH__/config/.env ExecStart=__FINALPATH__/virtualenv/bin/celery -A funkwhale_api.taskapp worker -l INFO --concurrency=0 -# Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these -# .. but this should be a good baseline -# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed -ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap - -# Denying access to capabilities that should not be relevant for webapps -# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html -CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD -CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE -CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT -CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK -CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE -CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG - [Install] WantedBy=multi-user.target