From 26b943358f7a577d2872b41e3834c4087c931bae Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Sun, 29 Aug 2021 20:39:38 +0200 Subject: [PATCH 1/7] rights --- check_process | 1 - conf/nginx.conf | 2 +- scripts/restore | 2 +- scripts/upgrade | 6 ++++-- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/check_process b/check_process index 0868ccb..fdec3e2 100644 --- a/check_process +++ b/check_process @@ -14,7 +14,6 @@ upgrade=1 backup_restore=1 multi_instance=0 - port_already_use=0 change_url=0 ;;; Options Email= diff --git a/conf/nginx.conf b/conf/nginx.conf index 53cba2f..d76ee1d 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,7 +1,7 @@ #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location __PATH__/ { - proxy_pass http://127.0.0.1:__PORT__/; + proxy_pass http://127.0.0.1:__PORT__/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; diff --git a/scripts/restore b/scripts/restore index b38ec57..aefd3e0 100644 --- a/scripts/restore +++ b/scripts/restore @@ -146,7 +146,7 @@ usermod -a -G cdrom,audio,video,plugdev,users,dialout,dip,input,netdev "$app" #================================================= ynh_script_progression --message="Integrating service in YunoHost..." -yunohost service add $app --log "$final_path/.kodi/temp/kodi.log" --needs_exposed_ports $port +yunohost service add $app --description="media center" --log="$final_path/.kodi/temp/kodi.log" --needs_exposed_ports $port #================================================= # START SYSTEMD SERVICE diff --git a/scripts/upgrade b/scripts/upgrade index 023c556..beadc30 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -140,7 +140,9 @@ ynh_add_systemd_config ynh_script_progression --message="Securing files and directories..." # Set permissions on app files -chown -R $app:$app $final_path +chmod 750 "$final_path" +chmod -R o-rwx "$final_path" +chown -R $app:www-data "$final_path" usermod -a -G cdrom,audio,video,plugdev,users,dialout,dip,input,netdev "$app" #================================================= @@ -148,7 +150,7 @@ usermod -a -G cdrom,audio,video,plugdev,users,dialout,dip,input,netdev "$app" #================================================= ynh_script_progression --message="Integrating service in YunoHost..." -yunohost service add $app --log "$final_path/.kodi/temp/kodi.log" --needs_exposed_ports $port +yunohost service add $app --description="media center" --log="$final_path/.kodi/temp/kodi.log" --needs_exposed_ports $port #================================================= # START SYSTEMD SERVICE From d65ef911dee0f227dcd230712d26482b704b44a2 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Fri, 12 Nov 2021 09:07:35 +0100 Subject: [PATCH 2/7] cleaning up --- doc/DESCRIPTION.md | 1 + manifest.json | 9 ++++----- scripts/_common.sh | 24 ++++++++++++++++++++++++ scripts/ynh_detect_arch__2 | 25 ------------------------- 4 files changed, 29 insertions(+), 30 deletions(-) create mode 100644 doc/DESCRIPTION.md delete mode 100644 scripts/ynh_detect_arch__2 diff --git a/doc/DESCRIPTION.md b/doc/DESCRIPTION.md new file mode 100644 index 0000000..e7521a0 --- /dev/null +++ b/doc/DESCRIPTION.md @@ -0,0 +1 @@ +Kodi is a media center and entertainment hub that brings all your digital media together. It is 100% free and open source, very customisable and runs on a wide variety of devices. Users can play and view most videos, music, podcasts, games and other digital media files from local and network storage media and the internet. \ No newline at end of file diff --git a/manifest.json b/manifest.json index fe7463d..69636fa 100644 --- a/manifest.json +++ b/manifest.json @@ -3,8 +3,8 @@ "id": "kodi", "packaging_format": 1, "description": { - "en": "Transform your YunoHost server into media center with Kodi", - "fr": "Transfromez votre serveur YunoHost en media center avec Kodi" + "en": "Media center that brings all your digital media together", + "fr": "Centre multimédia qui rassemble tous vos médias numériques" }, "version": "17.3~ynh1", "url": "https://kodi.tv", @@ -21,7 +21,7 @@ "url": "blog.cecchettosylvain.fr" }, "requirements": { - "yunohost": ">= 4.1.3" + "yunohost": ">= 4.2.3" }, "multi_instance": false, "services": [ @@ -31,8 +31,7 @@ "install" : [ { "name": "domain", - "type": "domain", - "example": "example.com" + "type": "domain" }, { "name": "path", diff --git a/scripts/_common.sh b/scripts/_common.sh index e5be016..a366e7f 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -19,6 +19,30 @@ package_check_dependencies="xserver-xorg-video-dummy" # EXPERIMENTAL HELPERS #================================================= +# Check the architecture +# +# example: architecture=$(ynh_detect_arch) +# +# usage: ynh_detect_arch +# +# Requires YunoHost version 2.2.4 or higher. + +ynh_detect_arch(){ + local architecture + if [ -n "$(uname -m | grep arm64)" ] || [ -n "$(uname -m | grep aarch64)" ]; then + architecture="arm64" + elif [ -n "$(uname -m | grep 64)" ]; then + architecture="x86-64" + elif [ -n "$(uname -m | grep 86)" ]; then + architecture="i386" + elif [ -n "$(uname -m | grep arm)" ]; then + architecture="arm" + else + architecture="unknown" + fi + echo $architecture +} + #================================================= # FUTURE OFFICIAL HELPERS #================================================= diff --git a/scripts/ynh_detect_arch__2 b/scripts/ynh_detect_arch__2 deleted file mode 100644 index b1c7375..0000000 --- a/scripts/ynh_detect_arch__2 +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -# Check the architecture -# -# example: architecture=$(ynh_detect_arch) -# -# usage: ynh_detect_arch -# -# Requires YunoHost version 2.2.4 or higher. - -ynh_detect_arch(){ - local architecture - if [ -n "$(uname -m | grep arm64)" ] || [ -n "$(uname -m | grep aarch64)" ]; then - architecture="arm64" - elif [ -n "$(uname -m | grep 64)" ]; then - architecture="x86-64" - elif [ -n "$(uname -m | grep 86)" ]; then - architecture="i386" - elif [ -n "$(uname -m | grep arm)" ]; then - architecture="arm" - else - architecture="unknown" - fi - echo $architecture -} From 03dccfefd53d9de8e12e517a897f5bf3c724c89c Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Fri, 12 Nov 2021 08:07:54 +0000 Subject: [PATCH 3/7] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4c0efb7..513c2d3 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in ## Overview -Transform your YunoHost server into media center with Kodi +Kodi is a media center and entertainment hub that brings all your digital media together. It is 100% free and open source, very customisable and runs on a wide variety of devices. Users can play and view most videos, music, podcasts, games and other digital media files from local and network storage media and the internet. **Shipped version:** 17.3~ynh1 diff --git a/README_fr.md b/README_fr.md index 99ad2d2..8f3622e 100644 --- a/README_fr.md +++ b/README_fr.md @@ -11,7 +11,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour ## Vue d'ensemble -Transfromez votre serveur YunoHost en media center avec Kodi +Kodi is a media center and entertainment hub that brings all your digital media together. It is 100% free and open source, very customisable and runs on a wide variety of devices. Users can play and view most videos, music, podcasts, games and other digital media files from local and network storage media and the internet. **Version incluse :** 17.3~ynh1 From 0b7c67dc58daded1c3cb82484c18d14fa94bd78b Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Fri, 12 Nov 2021 14:05:49 +0100 Subject: [PATCH 4/7] Fix --- conf/systemd.service | 30 ++++++++++++++++++++++++++++++ scripts/install | 2 +- scripts/restore | 4 +--- scripts/upgrade | 2 +- 4 files changed, 33 insertions(+), 5 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index 2feee3a..01b36a3 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -17,5 +17,35 @@ ExecStart=/usr/bin/xinit /usr/bin/dbus-launch --exit-with-session /usr/bin/kodi Restart=on-abort RestartSec = 5 +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/scripts/install b/scripts/install index a6e5f51..e62b917 100644 --- a/scripts/install +++ b/scripts/install @@ -169,7 +169,7 @@ usermod -a -G cdrom,audio,video,plugdev,users,dialout,dip,input,netdev "$app" #================================================= ynh_script_progression --message="Integrating service in YunoHost..." -yunohost service add $app --log "$final_path/.kodi/temp/kodi.log" --needs_exposed_ports $port +yunohost service add $app --description=media center --log="$final_path/.kodi/temp/kodi.log" --needs_exposed_ports=$port #================================================= # START SYSTEMD SERVICE diff --git a/scripts/restore b/scripts/restore index 5193272..c650e85 100644 --- a/scripts/restore +++ b/scripts/restore @@ -53,8 +53,6 @@ fi #================================================= ynh_script_progression --message="Validating restoration parameters..." -ynh_webpath_available --domain=$domain --path_url=$path_url \ - || ynh_die --message="Path not available: ${domain}${path_url}" test ! -d $final_path \ || ynh_die --message="There is already a directory: $final_path " @@ -148,7 +146,7 @@ usermod -a -G cdrom,audio,video,plugdev,users,dialout,dip,input,netdev "$app" #================================================= ynh_script_progression --message="Integrating service in YunoHost..." -yunohost service add $app --description="media center" --log="$final_path/.kodi/temp/kodi.log" --needs_exposed_ports $port +yunohost service add $app --description="media center" --log="$final_path/.kodi/temp/kodi.log" --needs_exposed_ports=$port #================================================= # START SYSTEMD SERVICE diff --git a/scripts/upgrade b/scripts/upgrade index a168fb4..7f214cd 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -150,7 +150,7 @@ usermod -a -G cdrom,audio,video,plugdev,users,dialout,dip,input,netdev "$app" #================================================= ynh_script_progression --message="Integrating service in YunoHost..." -yunohost service add $app --description="media center" --log="$final_path/.kodi/temp/kodi.log" --needs_exposed_ports $port +yunohost service add $app --description="media center" --log="$final_path/.kodi/temp/kodi.log" --needs_exposed_ports=$port #================================================= # START SYSTEMD SERVICE From b727c3d8be506dae5067b8919d9e655e23575745 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Fri, 12 Nov 2021 15:30:40 +0100 Subject: [PATCH 5/7] Fix --- scripts/install | 1 - scripts/restore | 1 - scripts/upgrade | 2 -- 3 files changed, 4 deletions(-) diff --git a/scripts/install b/scripts/install index e62b917..d5bb250 100644 --- a/scripts/install +++ b/scripts/install @@ -7,7 +7,6 @@ #================================================= source _common.sh -source ynh_detect_arch__2 source /usr/share/yunohost/helpers #================================================= diff --git a/scripts/restore b/scripts/restore index c650e85..27218f7 100644 --- a/scripts/restore +++ b/scripts/restore @@ -8,7 +8,6 @@ # Keep this path for calling _common.sh inside the execution's context of backup and restore scripts source ../settings/scripts/_common.sh -source ../settings/scripts/ynh_detect_arch__2 source /usr/share/yunohost/helpers #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 7f214cd..83ddaac 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -7,7 +7,6 @@ #================================================= source _common.sh -source ynh_detect_arch__2 source /usr/share/yunohost/helpers #================================================= @@ -28,7 +27,6 @@ arch=$(ynh_detect_arch) #================================================= # CHECK VERSION #================================================= -ynh_script_progression --message="Checking version..." upgrade_type=$(ynh_check_app_version_changed) From d0b7cee15750f23bcf8f1558ffcf7d99aa878703 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Fri, 12 Nov 2021 16:12:10 +0100 Subject: [PATCH 6/7] Update systemd.service --- conf/systemd.service | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index 01b36a3..2feee3a 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -17,35 +17,5 @@ ExecStart=/usr/bin/xinit /usr/bin/dbus-launch --exit-with-session /usr/bin/kodi Restart=on-abort RestartSec = 5 -# Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these -# .. but this should be a good baseline -# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed -ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap - -# Denying access to capabilities that should not be relevant for webapps -# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html -CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD -CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE -CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT -CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK -CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE -CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG - [Install] WantedBy=multi-user.target From 2d9f009785bcdb16e1d58685bc57dfaacda4fb69 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Fri, 12 Nov 2021 18:36:54 +0100 Subject: [PATCH 7/7] Update install --- scripts/install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install b/scripts/install index d5bb250..c5d7ea1 100644 --- a/scripts/install +++ b/scripts/install @@ -168,7 +168,7 @@ usermod -a -G cdrom,audio,video,plugdev,users,dialout,dip,input,netdev "$app" #================================================= ynh_script_progression --message="Integrating service in YunoHost..." -yunohost service add $app --description=media center --log="$final_path/.kodi/temp/kodi.log" --needs_exposed_ports=$port +yunohost service add $app --description="media center" --log="$final_path/.kodi/temp/kodi.log" --needs_exposed_ports=$port #================================================= # START SYSTEMD SERVICE