From 684c870a32ee52f464b277d5c1cebc874c3806b0 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Tue, 7 Sep 2021 10:05:15 +0200 Subject: [PATCH 1/3] Update systemd.service --- conf/systemd.service | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index 8303cac..519e1b4 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -11,5 +11,35 @@ ExecStart=/usr/bin/java -jar -Xmx1g komga.jar --server.port=__PORT__ --server.se Restart=on-failure RestartSec=10 +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target From 13bb16820ea67de8fa41ebd388ba7d0d76d41328 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Fri, 10 Sep 2021 09:53:23 +0200 Subject: [PATCH 2/3] 0.125.0 --- conf/app.src | 4 ++-- manifest.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/conf/app.src b/conf/app.src index 02f5470..a7f4535 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/gotson/komga/releases/download/v0.120.1/komga-0.120.1.jar -SOURCE_SUM=3823c1fe63503ab9928ccafe7f15009820326b5f380b648bbff8254266a29070 +SOURCE_URL=https://github.com/gotson/komga/releases/download/v0.125.0/komga-0.125.0.jar +SOURCE_SUM=ef676f83d05218d29ad84a54bac23c52d600ec6a8ba295f6d0b084124d83bc85 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=jar SOURCE_IN_SUBDIR=false diff --git a/manifest.json b/manifest.json index 5bd0fcf..1e3a635 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Media server for your comics, manga and magazines", "fr": "Serveur multimédia pour vos bandes dessinées, mangas et magazines" }, - "version": "0.120.1~ynh1", + "version": "0.125.0~ynh1", "url": "https://komga.org", "upstream": { "license": "MIT", From fdcfb0fd601f13835caa09110cd62222f1ef6552 Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Fri, 10 Sep 2021 07:53:29 +0000 Subject: [PATCH 3/3] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4818da9..672cb66 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ Komga is a free and open source comics/mangas server. - Download book files -**Shipped version:** 0.120.1~ynh1 +**Shipped version:** 0.125.0~ynh1 **Demo:** https://demo.komga.org diff --git a/README_fr.md b/README_fr.md index 67f1ae5..59ceb43 100644 --- a/README_fr.md +++ b/README_fr.md @@ -25,7 +25,7 @@ Komga is a free and open source comics/mangas server. - Download book files -**Version incluse :** 0.120.1~ynh1 +**Version incluse :** 0.125.0~ynh1 **Démo :** https://demo.komga.org