From d6d38fac439aaea29fddd70bc618d27d82c40f35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89ric=20Gaspar?=
 <46165813+ericgaspar@users.noreply.github.com>
Date: Sat, 17 Dec 2022 22:15:42 +0100
Subject: [PATCH 1/2] 0.2.2

---
 conf/amd64.src       |  4 ++--
 conf/arm64.src       |  4 ++--
 conf/armhf.src       |  4 ++--
 conf/systemd.service | 34 ++++++++++++++++++++++++++++++++++
 manifest.json        |  4 ++--
 5 files changed, 42 insertions(+), 8 deletions(-)

diff --git a/conf/amd64.src b/conf/amd64.src
index 215b806..47a68c6 100644
--- a/conf/amd64.src
+++ b/conf/amd64.src
@@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/pldubouilh/gossa/releases/download/v0.2.1/gossa-linux-x64
-SOURCE_SUM=1c7ac07fb479a14faf02701e7850c10def44c4c0175094ca2cebf2fec1d153eb
+SOURCE_URL=https://github.com/pldubouilh/gossa/releases/download/v0.2.2/gossa-linux-x64
+SOURCE_SUM=2732045eb0e5ff2061c78ce1d9facfb1fd921f04a3a243e1f945fb5df4953e21
 SOURCE_SUM_PRG=sha256sum
 SOURCE_IN_SUBDIR=false
 SOURCE_FILENAME=gossa
diff --git a/conf/arm64.src b/conf/arm64.src
index 0303338..0bc11ce 100644
--- a/conf/arm64.src
+++ b/conf/arm64.src
@@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/pldubouilh/gossa/releases/download/v0.2.1/gossa-linux-arm64
-SOURCE_SUM=0d6451a18f5119f80d08291300f0c8be47c0c2b93094d1ad390751d47fde17d8
+SOURCE_URL=https://github.com/pldubouilh/gossa/releases/download/v0.2.2/gossa-linux-arm64
+SOURCE_SUM=f5f924cc78172fe7a46d5a59455e377e0461d03576d846a1da50e1a0cb2f7b12
 SOURCE_SUM_PRG=sha256sum
 SOURCE_IN_SUBDIR=false
 SOURCE_FILENAME=gossa
diff --git a/conf/armhf.src b/conf/armhf.src
index 6f7d1c2..9718f26 100644
--- a/conf/armhf.src
+++ b/conf/armhf.src
@@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/pldubouilh/gossa/releases/download/v0.2.1/gossa-linux-arm
-SOURCE_SUM=3ae6b2f0b8a9274ce875519c4cc8c7cb4151823beac42a29ed363da09c222c29
+SOURCE_URL=https://github.com/pldubouilh/gossa/releases/download/v0.2.2/gossa-linux-arm
+SOURCE_SUM=b57b46c883246e1c929aaa13c482183d575b72636fab6e203b134d31ec74bd6e
 SOURCE_SUM_PRG=sha256sum
 SOURCE_IN_SUBDIR=false
 SOURCE_FILENAME=gossa
diff --git a/conf/systemd.service b/conf/systemd.service
index 667c6c2..966b271 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -12,5 +12,39 @@ ExecStart=__FINAL_PATH__/gossa -h 127.0.0.1 -p __PORT__ __DATADIR__
 Restart=always
 RestartSec=30
 
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectClock=yes
+ProtectHostname=yes
+ProtectProc=invisible
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
 [Install]
 WantedBy=multi-user.target
diff --git a/manifest.json b/manifest.json
index 11fabf3..d8427d2 100644
--- a/manifest.json
+++ b/manifest.json
@@ -6,7 +6,7 @@
         "en": "Fast and simple webserver for your files",
         "fr": "Serveur web simple et rapide pour vos fichiers"
     },
-    "version": "0.2.1~ynh1",
+    "version": "0.2.2~ynh1",
     "url": "https://github.com/pldubouilh/gossa",
     "upstream": {
         "license": "MIT",
@@ -18,7 +18,7 @@
         "name": "eric_G"
     },
     "requirements": {
-        "yunohost": ">= 4.3.0"
+        "yunohost": ">= 11.0.9"
     },
     "multi_instance": true,
     "services": [

From b3c396081bc41230cf8de47ff997809603205293 Mon Sep 17 00:00:00 2001
From: yunohost-bot <yunohost@yunohost.org>
Date: Sat, 17 Dec 2022 21:15:47 +0000
Subject: [PATCH 2/2] Auto-update README

---
 README.md    | 2 +-
 README_fr.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index da067d6..5eec446 100644
--- a/README.md
+++ b/README.md
@@ -32,7 +32,7 @@ A fast and simple webserver for your files, that's dependency-free and with unde
     ✨ PWA enabled
 
 
-**Shipped version:** 0.2.1~ynh1
+**Shipped version:** 0.2.2~ynh1
 
 ## Screenshots
 
diff --git a/README_fr.md b/README_fr.md
index 38f8740..b5dbbec 100644
--- a/README_fr.md
+++ b/README_fr.md
@@ -32,7 +32,7 @@ A fast and simple webserver for your files, that's dependency-free and with unde
     ✨ PWA enabled
 
 
-**Version incluse :** 0.2.1~ynh1
+**Version incluse :** 0.2.2~ynh1
 
 ## Captures d'écran