From 46c6d4f7bd38c6a67c9ec77c104f41f7271a3d24 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Fri, 27 Aug 2021 15:37:25 +0200 Subject: [PATCH 1/3] Fix doc link --- manifest.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifest.json b/manifest.json index f87763d..6d8ed07 100644 --- a/manifest.json +++ b/manifest.json @@ -11,8 +11,8 @@ "upstream": { "license": "GPL-3.0-only", "website": "http://www.mattermost.org/", - "admindoc": "https://docs.mattermost.com/", - "userdoc": "https://yunohost.org/en/app_mattermost", + "admindoc": "https://docs.mattermost.com/guides/deployment.html", + "userdoc": "https://docs.mattermost.com/guides/messaging.html", "code": "https://github.com/mattermost/mattermost-server" }, "license": "GPL-3.0-only", From 562141e2a7e5a45915a40fe656553cffa7355b75 Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Fri, 27 Aug 2021 13:37:31 +0000 Subject: [PATCH 2/3] Auto-update README --- README.md | 4 ++-- README_fr.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index d668574..297691a 100644 --- a/README.md +++ b/README.md @@ -48,8 +48,8 @@ Mattermost Mobile and Desktop Apps are available [here](https://mattermost.com/d ## Documentation and resources * Official app website: http://www.mattermost.org/ -* Official user documentation: https://yunohost.org/en/app_mattermost -* Official admin documentation: https://docs.mattermost.com/ +* Official user documentation: https://docs.mattermost.com/guides/messaging.html +* Official admin documentation: https://docs.mattermost.com/guides/deployment.html * Upstream app code repository: https://github.com/mattermost/mattermost-server * YunoHost documentation for this app: https://yunohost.org/app_mattermost * Report a bug: https://github.com/YunoHost-Apps/mattermost_ynh/issues diff --git a/README_fr.md b/README_fr.md index ffe1dec..347ba21 100644 --- a/README_fr.md +++ b/README_fr.md @@ -42,8 +42,8 @@ Ce paquet peut être installé sur les architectures `ARM`, `ARM64` et `x86-64` ## Documentations et ressources * Site officiel de l'app : http://www.mattermost.org/ -* Documentation officielle utilisateur : https://yunohost.org/en/app_mattermost -* Documentation officielle de l'admin : https://docs.mattermost.com/ +* Documentation officielle utilisateur : https://docs.mattermost.com/guides/messaging.html +* Documentation officielle de l'admin : https://docs.mattermost.com/guides/deployment.html * Dépôt de code officiel de l'app : https://github.com/mattermost/mattermost-server * Documentation YunoHost pour cette app : https://yunohost.org/app_mattermost * Signaler un bug : https://github.com/YunoHost-Apps/mattermost_ynh/issues From 1b7fb89181feddb814472e3393e6e6595621ae15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Thu, 9 Sep 2021 23:45:22 +0200 Subject: [PATCH 3/3] Update systemd.service (#273) --- conf/systemd.service | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index 0a3b276..8cea61d 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -15,5 +15,35 @@ User=__APP__ Group=__APP__ LimitNOFILE=49152 +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target