From a97a1dc2b9a4c3ce155ccfe14b7e70f94f65cbf2 Mon Sep 17 00:00:00 2001
From: oufmilo <44617467+oufmilo@users.noreply.github.com>
Date: Fri, 9 Feb 2024 20:32:55 +0100
Subject: [PATCH] Fix

---
 conf/systemd.service | 34 ++++++++++++++++++++++++++++++++++
 scripts/restore      |  6 +++---
 2 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/conf/systemd.service b/conf/systemd.service
index 3309e3c..f8ef3be 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -11,5 +11,39 @@ ExecStart=__INSTALL_DIR__/mautrix-discord -c __INSTALL_DIR__/config.yaml
 Restart=always
 RestartSec=3
 
+# Optional hardening to improve security
+ReadWritePaths=__INSTALL_DIR__/ /var/log/__APP__
+NoNewPrivileges=yes
+MemoryDenyWriteExecute=true
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=strict
+ProtectControlGroups=true
+RestrictSUIDSGID=true
+RestrictRealtime=true
+LockPersonality=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectHostname=true
+ProtectKernelModules=true
+PrivateUsers=true
+ProtectClock=true
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
 [Install]
 WantedBy=multi-user.target
\ No newline at end of file
diff --git a/scripts/restore b/scripts/restore
index ada7bb8..d53968e 100755
--- a/scripts/restore
+++ b/scripts/restore
@@ -54,15 +54,15 @@ ynh_script_progression --message="Restoring system configurations related to $ap
 ynh_restore_file --origin_path="/etc/systemd/system/$app.service"
 systemctl enable $app.service --quiet
 
-yunohost service add $app --description="Matrix Discord pupetting bridge for YunoHost" --log="/var/log/$app/$app.log"
-
 ynh_restore_file --origin_path="/etc/logrotate.d/$app"
 # Use logrotate to manage application logfile(s)
-ynh_use_logrotate --logfile "/var/log/$app/$app.log" --nonappend --specific_user $app/$app
+mkdir --parents "/var/log/$app"
 chmod -R 600 "/var/log/$app"
 chmod 700 "/var/log/$app"
 chown -R $app:$app /var/log/$app
 
+yunohost service add $app --description="Matrix Discord pupetting bridge for YunoHost" --log="/var/log/$app/$app.log"
+
 #=================================================
 # GENERIC FINALIZATION
 #=================================================