Testing

[alexAubin]

Problem

• Description of why you made this PR

Solution

• And how do you fix that problem

PR Status

• [ ] Code finished and ready to be reviewed/tested
• [ ] The fix/enhancement were manually tested (if applicable)

Automatic tests

Automatic tests can be triggered on https://ci-apps-dev.yunohost.org/ after creating the PR, by commenting "!testme", "!gogogadgetoci" or "By the power of systemd, I invoke The Great App CI to test this Pull Request!". (N.B. : for this to work you need to be a member of the Yunohost-Apps organization)

[alexAubin]

!testme

[yunohost-bot]

May the CI gods be with you!

[eauchat]

I'm a bit confused with this PR and #13. They're the same, no? Has anyone tested them before merging?

[eauchat]

Also if someone has any reference or details to explain the reasons of these change, that would be cool, to understand better :)

[ericgaspar]

This PR addresses some of the recommendations suggested by the CI https://ci-apps.yunohost.org/ci/job/4145

[alexAubin]

@eauchat : yes this PR is basically the same as #13 , but our usual dev workflow is : master <- testing <-PR, it's just that in this case there's a single PR ;)

Regarding the change, there is a general effort to try to harden the security of app's systemd configuration, some sort of "semi-containerization", or at least restricting stuff that a service may or may not do (e.g. a webapp should apriori never have to try to trigger a poweroff of the machine ...)

This was initially discussed in https://github.com/YunoHost/issues/issues/1680 and https://github.com/YunoHost/issues/issues/1515. See also systemd-analyze security

You can read more about the exact settings in https://www.freedesktop.org/software/systemd/man/systemd.exec.html and https://man7.org/linux/man-pages/man7/capabilities.7.html which are in comment in the systemd conf. But expect to read pretty technical stuff ;)

[eauchat]

Ok, got it. Thanks @alexAubin for the detailed explanation (and references) of all parts :)