Closed alexAubin closed 2 years ago
!testme
I'm a bit confused with this PR and #13. They're the same, no? Has anyone tested them before merging?
Also if someone has any reference or details to explain the reasons of these change, that would be cool, to understand better :)
This PR addresses some of the recommendations suggested by the CI https://ci-apps.yunohost.org/ci/job/4145
@eauchat : yes this PR is basically the same as #13 , but our usual dev workflow is : master
<- testing
<-PR
, it's just that in this case there's a single PR ;)
Regarding the change, there is a general effort to try to harden the security of app's systemd configuration, some sort of "semi-containerization", or at least restricting stuff that a service may or may not do (e.g. a webapp should apriori never have to try to trigger a poweroff of the machine ...)
This was initially discussed in https://github.com/YunoHost/issues/issues/1680 and https://github.com/YunoHost/issues/issues/1515. See also systemd-analyze security
You can read more about the exact settings in https://www.freedesktop.org/software/systemd/man/systemd.exec.html and https://man7.org/linux/man-pages/man7/capabilities.7.html which are in comment in the systemd conf. But expect to read pretty technical stuff ;)
Ok, got it. Thanks @alexAubin for the detailed explanation (and references) of all parts :)
Problem
Solution
PR Status
Automatic tests
Automatic tests can be triggered on https://ci-apps-dev.yunohost.org/ after creating the PR, by commenting "!testme", "!gogogadgetoci" or "By the power of systemd, I invoke The Great App CI to test this Pull Request!". (N.B. : for this to work you need to be a member of the Yunohost-Apps organization)