Fix

2024-10-01 13:35:01 +02:00 · 2021-09-08 10:47:50 +02:00 · 2021-09-08 10:47:50 +02:00 · 4f6f045085
commit 4f6f045085
parent ee7c9f68ec
11 changed files with 50 additions and 50 deletions
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@ -8,7 +8,7 @@ about: When creating a bug report, please use the following template to provide
 1. *Read this whole template first.*
 2. *Determine if you are on the right place:*
   - *If you were performing an action on the app from the webadmin or the CLI (install, update, backup, restore, change_url...), you are on the right place!*
-   - *Otherwise, the issue may be due to ums itself. Refer to its documentation or repository for help.*
+   - *Otherwise, the issue may be due to the app itself. Refer to its documentation or repository for help.*
   - *When in doubt, post here and we will figure it out together.*
 3. *Delete the italic comments as you write over them below, and remove this guide.*
 --- 
@ -31,7 +31,7 @@ about: When creating a bug report, please use the following template to provide

 - *If you performed a command from the CLI, the command itself is enough. For example:*
    ```sh
-    sudo yunohost app install ums
+    sudo yunohost app install the_app
    ```
 - *If you used the webadmin, please perform the equivalent command from the CLI first.*
 - *If the error occurs in your browser, explain what you did:*
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -0,0 +1,16 @@
+## Problem
+
+- *Description of why you made this PR*
+
+## Solution
+
+- *And how do you fix that problem*
+
+## PR Status
+
+- [ ] Code finished and ready to be reviewed/tested
+- [ ] The fix/enhancement were manually tested (if applicable)
+
+## Automatic tests
+
+Automatic tests can be triggered on https://ci-apps-dev.yunohost.org/ *after creating the PR*, by commenting "!testme", "!gogogadgetoci" or "By the power of systemd, I invoke The Great App CI to test this Pull Request!". (N.B. : for this to work you need to be a member of the Yunohost-Apps organization)
--- a/4
+++ b/4
@ -1,7 +1,7 @@
 ;; Test complet
 	; Manifest
-		domain="domain.tld"	(DOMAIN)
-		is_public=1	(PUBLIC|public=1|private=0)
+		domain="domain.tld"
+		is_public=1
 		name=MyUMS
 		interface=eth0
 	; Checks
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -18,7 +18,6 @@ location __PATH__/ {
    rewrite ^ https://$server_name$request_uri? permanent;
  }

-
  # Include SSOWAT user panel.
  include conf.d/yunohost_panel.conf.inc;
 }
--- a/conf/systemd.service
+++ b/conf/systemd.service
@ -11,5 +11,35 @@ ExecStart=__FINALPATH__/UMS.sh headless
 StandardOutput=append:/var/log/__APP__/__APP__.log
 StandardError=inherit

+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
 [Install]
 WantedBy=multi-user.target
--- a/pull_request_template.md
+++ b/pull_request_template.md
@ -1,16 +0,0 @@
-## Problem
- *Description of why you made this PR*
-
-## Solution
- *And how do you fix that problem*
-
-## PR Status
- [ ] Code finished.
- [ ] Tested with Package_check.
- [ ] Fix or enhancement tested.
- [ ] Upgrade from last version tested.
- [ ] Can be reviewed and tested.
-
-## Package_check results
---
-* An automatic package_check will be launch at https://ci-apps-dev.yunohost.org/, when you add a specific comment to your Pull Request: "!testme", "!gogogadgetoci" or "By the power of systemd, I invoke The Great App CI to test this Pull Request!"*
--- a/scripts/backup
+++ b/scripts/backup
@ -24,7 +24,6 @@ ynh_abort_if_errors
 ynh_print_warn --message="This script will only backup the app, no media will be saved"
 ynh_print_warn --message="To save your media, please use a backup tool such as borg"

-
 #=================================================
 # LOAD SETTINGS
 #=================================================
--- a/scripts/change_url
+++ b/scripts/change_url
@ -22,7 +22,6 @@ new_path=$YNH_APP_NEW_PATH

 app=$YNH_APP_INSTANCE_NAME

-
 #=================================================
 # LOAD SETTINGS
 #=================================================
@ -32,11 +31,6 @@ ynh_script_progression --message="Loading installation settings..." --weight=1
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 port_web=$(ynh_app_setting_get --app=$app --key=port_web)

-# Add settings here as needed by your application
-#db_name=$(ynh_app_setting_get --app=$app --key=db_name)
-#db_user=$db_name
-#db_pwd=$(ynh_app_setting_get --app=$app --key=db_pwd)
-
 #=================================================
 # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
 #=================================================
@ -108,12 +102,6 @@ then
 	ynh_store_file_checksum --file="/etc/nginx/conf.d/$new_domain.d/$app.conf"
 fi

-#=================================================
-# SPECIFIC MODIFICATIONS
-#=================================================
-# ...
-#=================================================
-
 #=================================================
 # GENERIC FINALISATION
 #=================================================
--- a/scripts/install
+++ b/scripts/install
@ -32,7 +32,6 @@ interface=$YNH_APP_ARG_INTERFACE
 #upstream_version=$YNH_APP_MANIFEST_VERSION
 upstream_version=$(ynh_app_upstream_version)

-
 app=$YNH_APP_INSTANCE_NAME

 #=================================================
@ -97,7 +96,6 @@ ynh_script_progression --message="Setting up Multimedia directory..." --weight=9
 ynh_multimedia_build_main_dir
 ynh_multimedia_addaccess $app

-
 #=================================================
 # DOWNLOAD, CHECK AND UNPACK SOURCE
 #=================================================
@ -119,7 +117,6 @@ chmod -R o-rwx "$final_path"
 chown -R root:$app "$final_path"
 chown root:$app "$final_path/UMS.sh"

-
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
@ -138,7 +135,6 @@ ynh_script_progression --message="Configuring a systemd service..." --weight=1
 # Create a dedicated systemd config
 ynh_add_systemd_config

-
 #=================================================
 # ADD A CONFIGURATION
 #=================================================
--- a/scripts/restore
+++ b/scripts/restore
@ -34,15 +34,11 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 port_web=$(ynh_app_setting_get --app=$app --key=port_web)
 port_rend=$(ynh_app_setting_get --app=$app --key=port_rend)

-
-
 #=================================================
 # CHECK IF THE APP CAN BE RESTORED
 #=================================================
 ynh_script_progression --message="Validating restoration parameters..." --weight=1

-ynh_webpath_available --domain=$domain --path_url=$path_url \
-	|| ynh_die --message="Path not available: ${domain}${path_url}"
 test ! -d $final_path \
 	|| ynh_die --message="There is already a directory: $final_path "

@ -91,7 +87,6 @@ chmod -R o-rwx "$final_path"
 chown -R root:$app "$final_path"
 chown root:$app "$final_path/UMS.sh"

-
 #=================================================
 # RESTORE FAIL2BAN CONFIGURATION
 #=================================================
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -27,12 +27,6 @@ upstream_version=$(ynh_app_upstream_version)
 # CHECK VERSION
 #=================================================

-### This helper will compare the version of the currently installed app and the version of the upstream package.
-### $upgrade_type can have 2 different values
-### - UPGRADE_APP if the upstream app version has changed
-### - UPGRADE_PACKAGE if only the YunoHost package has changed
-### ynh_check_app_version_changed will stop the upgrade if the app is up to date.
-### UPGRADE_APP should be used to upgrade the core app only if there's an upgrade to do.
 upgrade_type=$(ynh_check_app_version_changed)

 #=================================================
@ -115,7 +109,6 @@ then
 	yunohost firewall disallow TCP $port_web 2>&1
 fi

-
 #=================================================
 # SETUP SYSTEMD
 #=================================================