Update v0.6.5 + systemd

2024-09-03 19:36:35 +02:00 · 2024-02-08 19:48:37 +01:00 · 2024-02-08 19:48:37 +01:00 · de597a7b80
commit de597a7b80
parent df926f0c00
2 changed files with 21 additions and 29 deletions
--- a/conf/systemd.service
+++ b/conf/systemd.service
@ -8,38 +8,30 @@ User=__APP__
 Group=__APP__
 WorkingDirectory=__INSTALL_DIR__/
 ExecStart=__INSTALL_DIR__/mautrix-discord -c __INSTALL_DIR__/config.yaml
-StandardOutput=append:/var/log/__APP__/__APP__.log
-StandardError=inherit
 Restart=always
 RestartSec=3

-# Sandboxing options to harden security
-# Depending on specificities of your service/app, you may need to tweak these
-# .. but this should be a good baseline
-# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
-ReadWritePaths=__INSTALL_DIR__ /var/log/__APP__
+# Optional hardening to improve security
+ReadWritePaths=__INSTALL_DIR__/ /var/log/__APP__
 NoNewPrivileges=yes
 MemoryDenyWriteExecute=true
-PrivateTmp=yes
 PrivateDevices=yes
-PrivateUsers=true
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
-RestrictNamespaces=yes
-RestrictRealtime=yes
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=strict
+ProtectControlGroups=true
 RestrictSUIDSGID=true
-DevicePolicy=closed
-ProtectClock=yes
-ProtectHostname=yes
-ProtectProc=invisible
-ProtectSystem=full
-ProtectControlGroups=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
+RestrictRealtime=true
+LockPersonality=true
 ProtectKernelLogs=true
-LockPersonality=yes
+ProtectKernelTunables=true
+ProtectHostname=true
+ProtectKernelModules=true
+PrivateUsers=true
+ProtectClock=true
 SystemCallArchitectures=native
 SystemCallErrorNumber=EPERM
-SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+SystemCallFilter=@system-service

 # Denying access to capabilities that should not be relevant for webapps
 # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
--- a/manifest.toml
+++ b/manifest.toml
@ -81,12 +81,12 @@ ram.runtime = "1024M"
        extract = false
        rename = "mautrix-discord"

-        amd64.url = "https://github.com/mautrix/discord/releases/download/v0.6.4/mautrix-discord-amd64"
-        amd64.sha256 = "1510838d4128d401fceb3d92ba7571b980f06d5030bde3fdba73dd1b335a5868"
-        arm64.url = "https://github.com/mautrix/discord/releases/download/v0.6.4/mautrix-discord-arm64"
-        arm64.sha256 = "a9c33bed28763f182382110748f72bd866e90ab1bf62c90abcabe0d634f901aa"
-        armhf.url = "https://github.com/mautrix/discord/releases/download/v0.6.4/mautrix-discord-arm"
-        armhf.sha256 = "31ddf6c5ed5fc5b2ca4224e7bd1bfdc856a6da85d7422538a1e8f6f06523e7f7"
+        amd64.url = "https://github.com/mautrix/discord/releases/download/v0.6.5/mautrix-discord-amd64"
+        amd64.sha256 = "c89e2fdd6f5de28ae84d7f8ced27e174e8592364efd69c0ca6e8679e5c151489"
+        arm64.url = "https://github.com/mautrix/discord/releases/download/v0.6.5/mautrix-discord-arm64"
+        arm64.sha256 = "080b520871a51ddbe866ad83c889d47323452e6c25ee1b785e04a690884a77d9"
+        armhf.url = "https://github.com/mautrix/discord/releases/download/v0.6.5/mautrix-discord-arm"
+        armhf.sha256 = "e3a9eb3f64dc6d9e568f34f79b0b22cd08584c01779d22788ee6e966f5cde827"


    [resources.system_user]