From 4c83c7d3b626480a815fff27844b2facf25946b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Wed, 31 May 2023 18:38:14 +0200 Subject: [PATCH] Fix linter --- check_process | 12 ++++++------ conf/systemd.service | 36 ++++++++++++++++++++++++++++++++++-- manifest.json | 9 ++++----- scripts/install | 2 +- scripts/restore | 2 +- scripts/upgrade | 2 +- 6 files changed, 47 insertions(+), 16 deletions(-) diff --git a/check_process b/check_process index 670e59f..0b0e093 100644 --- a/check_process +++ b/check_process @@ -5,18 +5,18 @@ ;; Test complet ; Manifest - domain="domain.tld" (DOMAIN) - path="/path" (PATH) - admin="john" (USER) - is_public=1 (PUBLIC|public=1|private=0) + domain="domain.tld" + path="/path" + admin="john" + is_public=1 password="pass" - port="666" (PORT) + port="666" ; Checks pkg_linter=1 setup_sub_dir=1 setup_root=1 setup_nourl=0 - setup_private=0 + setup_private=1 setup_public=1 upgrade=1 backup_restore=1 diff --git a/conf/systemd.service b/conf/systemd.service index 6b6cc92..7e4ce8a 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -6,12 +6,44 @@ After=redis.service postgresql.service User=__APP__ Group=__APP__ WorkingDirectory=__FINALPATH__/ - ExecStart=__FINALPATH__/venv/bin/gunicorn --config __FINALPATH__/gunicorn.conf.py wsgi - StandardOutput=syslog StandardError=syslog SyslogIdentifier=__APP__-server +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index a3daab9..ff955af 100644 --- a/manifest.json +++ b/manifest.json @@ -3,14 +3,13 @@ "id": "scovie", "packaging_format": 1, "description": { - "en": "Digital signage system for high schools.", - "fr": "Affichage dynamique open-source pour les lycées." + "en": "Digital signage system for high schools", + "fr": "Affichage dynamique open-source pour les lycées" }, - "version": "0.0.5", - "url": "https://github.com/YunoHost-Apps/scovie_ynh", + "version": "0.0.5~ynh1", + "url": "https://github.com/eldertek/scovie", "upstream": { "license": "GPL-3.0", - "website": "https://github.com/eldertek/scovie", "code": "https://github.com/eldertek/scovie" }, "license": "GPL-3.0", diff --git a/scripts/install b/scripts/install index 730919e..a9b9106 100644 --- a/scripts/install +++ b/scripts/install @@ -188,7 +188,7 @@ ynh_use_logrotate "$log_file" #================================================= ynh_script_progression --message="Integrating service in YunoHost..." -yunohost service add $app --description="$app server" --log="${log_file}" +yunohost service add $app --description="Digital signage system for high schools" --log="${log_file}" #================================================= # GENERIC FINALIZATION diff --git a/scripts/restore b/scripts/restore index a72837e..2056048 100644 --- a/scripts/restore +++ b/scripts/restore @@ -127,7 +127,7 @@ systemctl enable $app.service --quiet #================================================= ynh_script_progression --message="Integrating service in YunoHost..." -yunohost service add $app --log="${log_file}" +yunohost service add $app --description="Digital signage system for high schools" --log="${log_file}" #================================================= # RESTORE THE LOGROTATE CONFIGURATION diff --git a/scripts/upgrade b/scripts/upgrade index 9bdc8f1..9df5111 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -189,7 +189,7 @@ ynh_use_logrotate --non-append #================================================= ynh_script_progression --message="Integrating service in YunoHost..." -yunohost service add $app --log="${log_file}" +yunohost service add $app --description="Digital signage system for high schools" --log="${log_file}" #================================================= # GENERIC FINALIZATION