diff --git a/conf/systemd.service b/conf/systemd.service index 1d7a162..f8ef3be 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -8,38 +8,30 @@ User=__APP__ Group=__APP__ WorkingDirectory=__INSTALL_DIR__/ ExecStart=__INSTALL_DIR__/mautrix-discord -c __INSTALL_DIR__/config.yaml -StandardOutput=append:/var/log/__APP__/__APP__.log -StandardError=inherit Restart=always RestartSec=3 -# Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these -# .. but this should be a good baseline -# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -ReadWritePaths=__INSTALL_DIR__ /var/log/__APP__ +# Optional hardening to improve security +ReadWritePaths=__INSTALL_DIR__/ /var/log/__APP__ NoNewPrivileges=yes MemoryDenyWriteExecute=true -PrivateTmp=yes PrivateDevices=yes -PrivateUsers=true -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=yes -RestrictRealtime=yes +PrivateTmp=yes +ProtectHome=yes +ProtectSystem=strict +ProtectControlGroups=true RestrictSUIDSGID=true -DevicePolicy=closed -ProtectClock=yes -ProtectHostname=yes -ProtectProc=invisible -ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes +RestrictRealtime=true +LockPersonality=true ProtectKernelLogs=true -LockPersonality=yes +ProtectKernelTunables=true +ProtectHostname=true +ProtectKernelModules=true +PrivateUsers=true +ProtectClock=true SystemCallArchitectures=native SystemCallErrorNumber=EPERM -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged +SystemCallFilter=@system-service # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html @@ -54,4 +46,4 @@ CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target \ No newline at end of file diff --git a/manifest.toml b/manifest.toml index ab454d3..6de41d9 100644 --- a/manifest.toml +++ b/manifest.toml @@ -81,12 +81,12 @@ ram.runtime = "1024M" extract = false rename = "mautrix-discord" - amd64.url = "https://github.com/mautrix/discord/releases/download/v0.6.4/mautrix-discord-amd64" - amd64.sha256 = "1510838d4128d401fceb3d92ba7571b980f06d5030bde3fdba73dd1b335a5868" - arm64.url = "https://github.com/mautrix/discord/releases/download/v0.6.4/mautrix-discord-arm64" - arm64.sha256 = "a9c33bed28763f182382110748f72bd866e90ab1bf62c90abcabe0d634f901aa" - armhf.url = "https://github.com/mautrix/discord/releases/download/v0.6.4/mautrix-discord-arm" - armhf.sha256 = "31ddf6c5ed5fc5b2ca4224e7bd1bfdc856a6da85d7422538a1e8f6f06523e7f7" + amd64.url = "https://github.com/mautrix/discord/releases/download/v0.6.5/mautrix-discord-amd64" + amd64.sha256 = "c89e2fdd6f5de28ae84d7f8ced27e174e8592364efd69c0ca6e8679e5c151489" + arm64.url = "https://github.com/mautrix/discord/releases/download/v0.6.5/mautrix-discord-arm64" + arm64.sha256 = "080b520871a51ddbe866ad83c889d47323452e6c25ee1b785e04a690884a77d9" + armhf.url = "https://github.com/mautrix/discord/releases/download/v0.6.5/mautrix-discord-arm" + armhf.sha256 = "e3a9eb3f64dc6d9e568f34f79b0b22cd08584c01779d22788ee6e966f5cde827" [resources.system_user]