Merge pull request #36 from YunoHost-Apps/testing

Fix backward compatibility tests in upgrade
2024-09-03 19:46:25 +02:00 · 2021-10-03 20:31:36 +02:00 · 2021-10-03 20:31:36 +02:00 · baf40fc601
commit baf40fc601
parent ec380d3a79 f08329e5ad
2 changed files with 40 additions and 5 deletions
--- a/conf/systemd.service
+++ b/conf/systemd.service
@ -12,5 +12,33 @@ ExecStart=__YNH_NODE__ red.js -p __PORT__ -u __FINALPATH__/data
 StandardOutput=append:/var/log/__APP__/__APP__.log
 StandardError=inherit

+# Sandboxing options to harden security
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
 [Install]
 WantedBy=multi-user.target
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -65,15 +65,22 @@ if ynh_permission_exists --permission="admin"; then
 	ynh_permission_delete --permission="admin"
 	# We use main as admin permission
        ynh_permission_url --permission="main" --url="/admin"
+fi
+
+if ! ynh_permission_exists --permission="ui"; then
 	# Create ui permission, for the dashboard
 	ynh_permission_create --permission="ui" --url="/ui" --show_tile=true
+fi
+
+if ! ynh_permission_exists --permission="endpoints"; then
 	# Create endpoints permission
 	ynh_permission_create --permission="endpoints" --url="/" --show_tile=false
-	# Transfer the publicness of the app to ui and endpoints
-	if ynh_permission_has_user --permission=main --user=visitors; then
-		ynh_permission_update --permission="ui" --add="visitors"
-		ynh_permission_update --permission="endpoints" --add="visitors"
-	fi
+fi
+
+# Transfer the publicness of the app to ui and endpoints
+if ynh_permission_has_user --permission=main --user=visitors; then
+	ynh_permission_update --permission="ui" --add="visitors"
+	ynh_permission_update --permission="endpoints" --add="visitors"
 	# Remove visitor access to the admin panel
 	ynh_permission_update --permission="main" --remove="visitors"
 fi