diff --git a/conf/amd64.src b/conf/amd64.src index 215b806..47a68c6 100644 --- a/conf/amd64.src +++ b/conf/amd64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/pldubouilh/gossa/releases/download/v0.2.1/gossa-linux-x64 -SOURCE_SUM=1c7ac07fb479a14faf02701e7850c10def44c4c0175094ca2cebf2fec1d153eb +SOURCE_URL=https://github.com/pldubouilh/gossa/releases/download/v0.2.2/gossa-linux-x64 +SOURCE_SUM=2732045eb0e5ff2061c78ce1d9facfb1fd921f04a3a243e1f945fb5df4953e21 SOURCE_SUM_PRG=sha256sum SOURCE_IN_SUBDIR=false SOURCE_FILENAME=gossa diff --git a/conf/arm64.src b/conf/arm64.src index 0303338..0bc11ce 100644 --- a/conf/arm64.src +++ b/conf/arm64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/pldubouilh/gossa/releases/download/v0.2.1/gossa-linux-arm64 -SOURCE_SUM=0d6451a18f5119f80d08291300f0c8be47c0c2b93094d1ad390751d47fde17d8 +SOURCE_URL=https://github.com/pldubouilh/gossa/releases/download/v0.2.2/gossa-linux-arm64 +SOURCE_SUM=f5f924cc78172fe7a46d5a59455e377e0461d03576d846a1da50e1a0cb2f7b12 SOURCE_SUM_PRG=sha256sum SOURCE_IN_SUBDIR=false SOURCE_FILENAME=gossa diff --git a/conf/armhf.src b/conf/armhf.src index 6f7d1c2..9718f26 100644 --- a/conf/armhf.src +++ b/conf/armhf.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/pldubouilh/gossa/releases/download/v0.2.1/gossa-linux-arm -SOURCE_SUM=3ae6b2f0b8a9274ce875519c4cc8c7cb4151823beac42a29ed363da09c222c29 +SOURCE_URL=https://github.com/pldubouilh/gossa/releases/download/v0.2.2/gossa-linux-arm +SOURCE_SUM=b57b46c883246e1c929aaa13c482183d575b72636fab6e203b134d31ec74bd6e SOURCE_SUM_PRG=sha256sum SOURCE_IN_SUBDIR=false SOURCE_FILENAME=gossa diff --git a/conf/systemd.service b/conf/systemd.service index 667c6c2..966b271 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -12,5 +12,39 @@ ExecStart=__FINAL_PATH__/gossa -h 127.0.0.1 -p __PORT__ __DATADIR__ Restart=always RestartSec=30 +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index 11fabf3..d8427d2 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Fast and simple webserver for your files", "fr": "Serveur web simple et rapide pour vos fichiers" }, - "version": "0.2.1~ynh1", + "version": "0.2.2~ynh1", "url": "https://github.com/pldubouilh/gossa", "upstream": { "license": "MIT", @@ -18,7 +18,7 @@ "name": "eric_G" }, "requirements": { - "yunohost": ">= 4.3.0" + "yunohost": ">= 11.0.9" }, "multi_instance": true, "services": [