Update v0.6.5 + systemd

2024-09-03 19:36:35 +02:00 · 2024-02-08 19:48:37 +01:00 · 2024-02-08 19:48:37 +01:00 · de597a7b80
commit de597a7b80
parent df926f0c00
2 changed files with 21 additions and 29 deletions
--- a/conf/systemd.service
+++ b/conf/systemd.service
@ -8,38 +8,30 @@ User=__APP__
 Group=__APP__
 WorkingDirectory=__INSTALL_DIR__/
 ExecStart=__INSTALL_DIR__/mautrix-discord -c __INSTALL_DIR__/config.yaml
 StandardOutput=append:/var/log/__APP__/__APP__.log
 StandardError=inherit
 Restart=always
 RestartSec=3
-# Sandboxing options to harden security
+# Optional hardening to improve security
-# Depending on specificities of your service/app, you may need to tweak these
+ReadWritePaths=__INSTALL_DIR__/ /var/log/__APP__
 # .. but this should be a good baseline
 # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
 ReadWritePaths=__INSTALL_DIR__ /var/log/__APP__
 NoNewPrivileges=yes
 MemoryDenyWriteExecute=true
 PrivateTmp=yes
 PrivateDevices=yes
-PrivateUsers=true
+PrivateTmp=yes
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+ProtectHome=yes
-RestrictNamespaces=yes
+ProtectSystem=strict
-RestrictRealtime=yes
+ProtectControlGroups=true
 RestrictSUIDSGID=true
-DevicePolicy=closed
+RestrictRealtime=true
-ProtectClock=yes
+LockPersonality=true
 ProtectHostname=yes
 ProtectProc=invisible
 ProtectSystem=full
 ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectKernelLogs=true
-LockPersonality=yes
+ProtectKernelTunables=true
 ProtectHostname=true
 ProtectKernelModules=true
 PrivateUsers=true
 ProtectClock=true
 SystemCallArchitectures=native
 SystemCallErrorNumber=EPERM
-SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+SystemCallFilter=@system-service
 # Denying access to capabilities that should not be relevant for webapps
 # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
@ -54,4 +46,4 @@ CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
 CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target
--- a/manifest.toml
+++ b/manifest.toml
@ -81,12 +81,12 @@ ram.runtime = "1024M"
        extract = false
        rename = "mautrix-discord"
-        amd64.url = "https://github.com/mautrix/discord/releases/download/v0.6.4/mautrix-discord-amd64"
+        amd64.url = "https://github.com/mautrix/discord/releases/download/v0.6.5/mautrix-discord-amd64"
-        amd64.sha256 = "1510838d4128d401fceb3d92ba7571b980f06d5030bde3fdba73dd1b335a5868"
+        amd64.sha256 = "c89e2fdd6f5de28ae84d7f8ced27e174e8592364efd69c0ca6e8679e5c151489"
-        arm64.url = "https://github.com/mautrix/discord/releases/download/v0.6.4/mautrix-discord-arm64"
+        arm64.url = "https://github.com/mautrix/discord/releases/download/v0.6.5/mautrix-discord-arm64"
-        arm64.sha256 = "a9c33bed28763f182382110748f72bd866e90ab1bf62c90abcabe0d634f901aa"
+        arm64.sha256 = "080b520871a51ddbe866ad83c889d47323452e6c25ee1b785e04a690884a77d9"
-        armhf.url = "https://github.com/mautrix/discord/releases/download/v0.6.4/mautrix-discord-arm"
+        armhf.url = "https://github.com/mautrix/discord/releases/download/v0.6.5/mautrix-discord-arm"
-        armhf.sha256 = "31ddf6c5ed5fc5b2ca4224e7bd1bfdc856a6da85d7422538a1e8f6f06523e7f7"
+        armhf.sha256 = "e3a9eb3f64dc6d9e568f34f79b0b22cd08584c01779d22788ee6e966f5cde827"
    [resources.system_user]