Fix 283 permissions

[fflorent]

Problem

Aims to be a fix for #283 keeping restrictions.

Solution

The issue is caused by the invocation of os.networkInterfaces() in the cacheable-lookup module: https://github.com/szmarczak/cacheable-lookup/blob/45b18daf9f0c8406691fad81188e956641e2309d/source/index.js#L41

This function lists the interfaces and thus needs AF_NETLINK.

In order to test, you may try this systemd service:

# /etc/systemd/system/test_node.service
[Unit]
Description=PeerTube daemon
After=network.target postgresql.service redis-server.service

[Service]
Type=forking
Environment=NODE_ENV=production
# This command evals the line causing the issue
ExecStart=/usr/bin/nodejs -e 'console.log(require("os").networkInterfaces())'
WorkingDirectory=/tmp/
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=test_node

# Sandboxing options to harden security
# Depending on specificities of your service/app, you may need to tweak these
# .. but this should be a good baseline
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
# Try to tweak this line
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
DevicePolicy=closed
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap

# Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG

[Install]
WantedBy=multi-user.target

PR Status

• [x] Code finished and ready to be reviewed/tested
• [ ] The fix/enhancement were manually tested (if applicable)

Automatic tests

Automatic tests can be triggered on https://ci-apps-dev.yunohost.org/ after creating the PR, by commenting "!testme", "!gogogadgetoci" or "By the power of systemd, I invoke The Great App CI to test this Pull Request!". (N.B. : for this to work you need to be a member of the Yunohost-Apps organization)

[fflorent]

Ping @BDouze if you want to take a look at it :)

[fflorent]

!testme

[yunohost-bot]

:sunflower:

[BDouze]

I made some tests and it seems to be fine with RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK Here is what I have tested :

• peertube service startup
• upload a video and play it
• federation with another server
  • follow a remote server from test server
  • play video of remote server from test server
  • follow test server from remote server
  • play video of test server from remote server
• stream a live video and play it from test server and remote server
• searching videos using a global search index

[fflorent]

Thanks @BDouze!

[fflorent]

@ericgaspar Thanks for your review! :)

If it looks good to you and one approval is enough to merge this PR, I'll let you do this as I don't have the write access.