diff --git a/README.md b/README.md index 4df58ae..2610b25 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Sonarr is a PVR for Usenet and BitTorrent users. It can monitor multiple RSS feeds for new episodes of your favorite shows and will grab, sort and rename them. It can also be configured to automatically upgrade the quality of files already downloaded when a better quality format becomes available. -**Shipped version:** 3.0.6.1196~ynh2 +**Shipped version:** 3.0.6.1196~ynh3 ## Screenshots diff --git a/README_fr.md b/README_fr.md index fa7f7dd..42a9eeb 100644 --- a/README_fr.md +++ b/README_fr.md @@ -19,7 +19,7 @@ Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po Sonarr est un PVR pour les utilisateurs Usenet et BitTorrent. Il peut surveiller plusieurs flux RSS pour les nouveaux épisodes de vos émissions préférées et les récupérer, les trier et les renommer. Il peut également être configuré pour mettre à niveau automatiquement la qualité des fichiers déjà téléchargés lorsqu'un format de meilleure qualité devient disponible. -**Version incluse :** 3.0.6.1196~ynh2 +**Version incluse :** 3.0.6.1196~ynh3 ## Captures d’écran diff --git a/conf/systemd.service b/conf/systemd.service index cc30084..afb4b3f 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -13,5 +13,40 @@ TimeoutStopSec=20 KillMode=process Restart=on-failure + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index a136725..5701027 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "A series collection manager for Usenet and BitTorrent users", "fr": "Gestionnaire de collection de séries pour utilisateurs de Usenet et BitTorrent" }, - "version": "3.0.6.1196~ynh2", + "version": "3.0.6.1196~ynh3", "url": "https://sonarr.tv", "upstream": { "license": "GPL-3.0-only", @@ -20,7 +20,7 @@ "email": "tituspijean@outlook.com" }, "requirements": { - "yunohost": ">= 4.2" + "yunohost": ">= 11.2" }, "multi_instance": true, "services": [ diff --git a/scripts/install b/scripts/install index 14f153e..8939659 100755 --- a/scripts/install +++ b/scripts/install @@ -154,7 +154,7 @@ ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --l # it may have been stopped by the installation of the dependencies. # Let's restart it. if [[ $(systemctl list-units -all | grep 'sonarr.service' | grep 'inactive') ]]; then - ynh_exec_fully_quiet 'ynh_systemd_action --service_name=sonarr --action="start" --log_path="systemd" --line_match="Starting Web Server" --timeout=30' + ynh_exec_fully_quiet ynh_systemd_action --service_name=sonarr --action="start" --log_path="systemd" --line_match="Starting Web Server" --timeout=30 fi #================================================= diff --git a/scripts/restore b/scripts/restore index c23c166..d67f847 100755 --- a/scripts/restore +++ b/scripts/restore @@ -124,7 +124,7 @@ ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --l # it may have been stopped by the installation of the dependencies. # Let's restart it. if [[ $(systemctl list-units -all | grep 'sonarr.service' | grep 'inactive') ]]; then - ynh_exec_fully_quiet 'ynh_systemd_action --service_name=sonarr --action="start" --log_path="systemd" --line_match="Starting Web Server" --timeout=30' + ynh_exec_fully_quiet ynh_systemd_action --service_name=sonarr --action="start" --log_path="systemd" --line_match="Starting Web Server" --timeout=30 fi #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index b486d45..4c3ed1c 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -133,7 +133,7 @@ ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --l # it may have been stopped by the installation of the dependencies. # Let's restart it. if [[ $(systemctl list-units -all | grep 'sonarr.service' | grep 'inactive') ]]; then - ynh_exec_fully_quiet 'ynh_systemd_action --service_name=sonarr --action="start" --log_path="systemd" --line_match="Starting Web Server" --timeout=30' + ynh_exec_fully_quiet ynh_systemd_action --service_name=sonarr --action="start" --log_path="systemd" --line_match="Starting Web Server" --timeout=30 fi #=================================================