Merge pull request #21 from YunoHost-Apps/testing

systemd-hardening + 10.11.0
2024-10-01 13:35:01 +02:00 · 2021-09-09 22:18:25 +02:00 · 2021-09-09 22:18:25 +02:00 · 08e1abd874
commit 08e1abd874
parent 0bdac48b6e 0614e0fa6f
12 changed files with 50 additions and 43 deletions
--- a/README.md
+++ b/README.md
@ -17,7 +17,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
 A DLNA, UPnP and HTTP(S) Media Server
-**Shipped version:** 10.10.1
+**Shipped version:** 10.11.0
--- a/README_fr.md
+++ b/README_fr.md
@ -13,7 +13,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour
 Un Serveur Multimedia DLNA, UPnP et HTTP(S)
-**Version incluse :** 10.10.1
+**Version incluse :** 10.11.0
--- a/6
+++ b/6
@ -1,7 +1,7 @@
 ;; Test complet
 	; Manifest
-		domain="domain.tld"	(DOMAIN)
+		domain="domain.tld"
-		is_public=1	(PUBLIC|public=1|private=0)
+		is_public=1
 		name=MyUMS
 		interface=eth0
 	; Checks
@ -13,7 +13,7 @@
 		setup_private=1
 		setup_public=1
 		upgrade=1
-		upgrade=1	from_commit=bc1a48f956ec737b7a9cf141a9d9437a5b636f10
+		upgrade=1	from_commit=0bdac48b6ee51cbfd687a1e3a693f105f79185b6
 		backup_restore=1
 		multi_instance=0
 		port_already_use=1
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -18,7 +18,6 @@ location __PATH__/ {
    rewrite ^ https://$server_name$request_uri? permanent;
  }
  # Include SSOWAT user panel.
  include conf.d/yunohost_panel.conf.inc;
 }
--- a/conf/systemd.service
+++ b/conf/systemd.service
@ -11,5 +11,35 @@ ExecStart=__FINALPATH__/UMS.sh headless
 StandardOutput=append:/var/log/__APP__/__APP__.log
 StandardError=inherit
 # Sandboxing options to harden security
 # Depending on specificities of your service/app, you may need to tweak these 
 # .. but this should be a good baseline
 # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
 NoNewPrivileges=yes
 PrivateTmp=yes
 PrivateDevices=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
 DevicePolicy=closed
 ProtectSystem=full
 ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 LockPersonality=yes
 SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
 # Denying access to capabilities that should not be relevant for webapps
 # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
 CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
 CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
 CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
 CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
 CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
 CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
 CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
 CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
 CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
 [Install]
 WantedBy=multi-user.target
--- a/manifest.json
+++ b/manifest.json
@ -6,10 +6,10 @@
        "en": "A DLNA, UPnP and HTTP(S) Media Server",
        "fr": "Un Serveur Multimedia DLNA, UPnP et HTTP(S)"
    },
-    "version": "10.10.1~ynh1",
+    "version": "10.11.0~ynh1",
    "url": "www.universalmediaserver.com",
    "upstream": {
-        "version": "10.10.1",
+        "version": "10.11.0",
        "license": "GPL-2.0-or-later",
        "website": "www.universalmediaserver.com",
        "admindoc": "https://github.com/UniversalMediaServer/UniversalMediaServer/wiki",
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -8,24 +8,31 @@
 pkg_dependencies="mediainfo dcraw p7zip"
 mach=`uname -m`
 sha256_arm64=365f475fbf6bfa1707059c58f04d8bd278ac198687ed079cdf9558ce907f99e8
 sha256_armel=b2a2183fa1c8fb7fd21b26350de99e4111443be1418eaf1245b46d893fa1dda4
 sha256_armhf=f3058462c4134bee62616c46b0642396ca61a393f2f1238052d1dc2af156234c
 sha256_x86_64=a6d5fd04bbece4f8f5ecfb62e6d7cdb5b03f58d13fb1428d7568b8f97389d129
 sha256_x86=8b9dd457ff8c86c15f6ca06335c7c62c750547911ed740195c9447e9d3e84888
 case "$mach" in
 "armv6l" ) mach="armel"
-			sha256=5f8c48404c5f9ec0e33ba1db25a26ec0bbcbac80ae971b586289873940d9bce0
+			sha256=$sha256_armel
 			#for some reason, jre is not in the tarball
 			pkg_dependencies="$pkg_dependencies openjdk-8-jre" ;;
 "armv7l" ) if [ $(dpkg --print-architecture) = "armhf" ]; then 
 				mach="armhf"
- 				sha256=aac79bcdc8d84250ec7f91a0b8752c9b1e7f6b9a4a1935bdbd0f5c01cacf7d09
+ 				sha256=$sha256_armhf
 				pkg_dependencies="$pkg_dependencies openjdk-8-jre"
 			else 
 				mach="armel"
- 				sha256=5f8c48404c5f9ec0e33ba1db25a26ec0bbcbac80ae971b586289873940d9bce0
+ 				sha256=$sha256_armel
 				pkg_dependencies="$pkg_dependencies openjdk-8-jre"
 			fi ;;
 "armv8l" ) mach="arm64"
- 			sha256=177460262ec4d1dfb8b28f44b4f91d79d519ca7a4afe2a6e6ed6c0d1a821a240 ;;
+ 			sha256=$sha256_arm64 ;;
 "x86_64" ) mach="x86_64"
- 			sha256=471b7bf68aaae7c68836b6e503ee0748cfba7b4cd01f23e408be559172dda45a ;;
+ 			sha256=$sha256_x86_64 ;;
 * ) mach="x86" 
- 	sha256=309d61fe65cbca5b7f6fca7eff4b7a14a13f177a0912798c38f5c80dd833c7d9 ;;
+ 	sha256=$sha256_x86 ;;
 esac
--- a/scripts/backup
+++ b/scripts/backup
@ -24,7 +24,6 @@ ynh_abort_if_errors
 ynh_print_warn --message="This script will only backup the app, no media will be saved"
 ynh_print_warn --message="To save your media, please use a backup tool such as borg"
 #=================================================
 # LOAD SETTINGS
 #=================================================
--- a/scripts/change_url
+++ b/scripts/change_url
@ -22,7 +22,6 @@ new_path=$YNH_APP_NEW_PATH
 app=$YNH_APP_INSTANCE_NAME
 #=================================================
 # LOAD SETTINGS
 #=================================================
@ -32,11 +31,6 @@ ynh_script_progression --message="Loading installation settings..." --weight=1
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 port_web=$(ynh_app_setting_get --app=$app --key=port_web)
 # Add settings here as needed by your application
 #db_name=$(ynh_app_setting_get --app=$app --key=db_name)
 #db_user=$db_name
 #db_pwd=$(ynh_app_setting_get --app=$app --key=db_pwd)
 #=================================================
 # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
 #=================================================
@ -108,12 +102,6 @@ then
 	ynh_store_file_checksum --file="/etc/nginx/conf.d/$new_domain.d/$app.conf"
 fi
 #=================================================
 # SPECIFIC MODIFICATIONS
 #=================================================
 # ...
 #=================================================
 #=================================================
 # GENERIC FINALISATION
 #=================================================
--- a/scripts/install
+++ b/scripts/install
@ -32,7 +32,6 @@ interface=$YNH_APP_ARG_INTERFACE
 #upstream_version=$YNH_APP_MANIFEST_VERSION
 upstream_version=$(ynh_app_upstream_version)
 app=$YNH_APP_INSTANCE_NAME
 #=================================================
@ -97,7 +96,6 @@ ynh_script_progression --message="Setting up Multimedia directory..." --weight=9
 ynh_multimedia_build_main_dir
 ynh_multimedia_addaccess $app
 #=================================================
 # DOWNLOAD, CHECK AND UNPACK SOURCE
 #=================================================
@ -119,7 +117,6 @@ chmod -R o-rwx "$final_path"
 chown -R root:$app "$final_path"
 chown root:$app "$final_path/UMS.sh"
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
@ -138,7 +135,6 @@ ynh_script_progression --message="Configuring a systemd service..." --weight=1
 # Create a dedicated systemd config
 ynh_add_systemd_config
 #=================================================
 # ADD A CONFIGURATION
 #=================================================
--- a/scripts/restore
+++ b/scripts/restore
@ -34,15 +34,11 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 port_web=$(ynh_app_setting_get --app=$app --key=port_web)
 port_rend=$(ynh_app_setting_get --app=$app --key=port_rend)
 #=================================================
 # CHECK IF THE APP CAN BE RESTORED
 #=================================================
 ynh_script_progression --message="Validating restoration parameters..." --weight=1
 ynh_webpath_available --domain=$domain --path_url=$path_url \
 	|| ynh_die --message="Path not available: ${domain}${path_url}"
 test ! -d $final_path \
 	|| ynh_die --message="There is already a directory: $final_path "
@ -91,7 +87,6 @@ chmod -R o-rwx "$final_path"
 chown -R root:$app "$final_path"
 chown root:$app "$final_path/UMS.sh"
 #=================================================
 # RESTORE FAIL2BAN CONFIGURATION
 #=================================================
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -27,12 +27,6 @@ upstream_version=$(ynh_app_upstream_version)
 # CHECK VERSION
 #=================================================
 ### This helper will compare the version of the currently installed app and the version of the upstream package.
 ### $upgrade_type can have 2 different values
 ### - UPGRADE_APP if the upstream app version has changed
 ### - UPGRADE_PACKAGE if only the YunoHost package has changed
 ### ynh_check_app_version_changed will stop the upgrade if the app is up to date.
 ### UPGRADE_APP should be used to upgrade the core app only if there's an upgrade to do.
 upgrade_type=$(ynh_check_app_version_changed)
 #=================================================
@ -115,7 +109,6 @@ then
 	yunohost firewall disallow TCP $port_web 2>&1
 fi
 #=================================================
 # SETUP SYSTEMD
 #=================================================
`@ -17,7 +17,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in`

	`A DLNA, UPnP and HTTP(S) Media Server`	`A DLNA, UPnP and HTTP(S) Media Server`

	`Shipped version: 10.10.1`	`Shipped version: 10.11.0`
`@ -13,7 +13,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour`

	`Un Serveur Multimedia DLNA, UPnP et HTTP(S)`	`Un Serveur Multimedia DLNA, UPnP et HTTP(S)`

	`Version incluse : 10.10.1`	`Version incluse : 10.11.0`