git-echo/linux_patch_api
Private
Public Access
1
0
Fork 0
Code Releases 32 Wiki Activity

fix: remove all systemd capability restrictions blocking package management
Some checks failed
CI/CD Pipeline / Code Format (push) Successful in 1s
Details
CI/CD Pipeline / Clippy Lints (push) Successful in 43s
Details
CI/CD Pipeline / Unit Tests (push) Successful in 57s
Details
CI/CD Pipeline / Security Audit (push) Successful in 5s
Details
CI/CD Pipeline / Build Arch Package (push) Successful in 2m10s
Details
CI/CD Pipeline / Build Alpine Package (push) Successful in 3m19s
Details
CI/CD Pipeline / Build RPM Package (push) Successful in 3m2s
Details
CI/CD Pipeline / Build Debian Package (push) Has started running
Details
CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 15m44s
Details

Browse Source 
- Remove CapabilityBoundingSet and AmbientCapabilities (apt needs full root capabilities)
- Remove ReadWritePaths (unnecessary without ProtectSystem=strict)
- Fix E2E test: properly FAIL on status=failed package operations
- Fix E2E test: require status=completed for install/update/remove lifecycle
- Update dpkg packaging service file to match configs/
- Bump version to 0.3.5
This commit is contained in:
Echo
2026-05-03 04:13:50 +00:00
parent de7ec9905f
commit 6ba708abb1
6 changed files with 64 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
debian/changelog vendored
View File

@ -1,58 +1,43 @@
linux-patch-api (0.3.5-1) unstable; urgency=low
* Remove CapabilityBoundingSet and AmbientCapabilities - apt needs full root capabilities
* Remove ProtectSystem=strict, NoNewPrivileges, RestrictSUIDSGID - block core functionality
* Remove ReadWritePaths - unnecessary without ProtectSystem=strict
* Fix E2E test: properly FAIL on status=failed package operations
* Fix E2E test: require status=completed for install/update/remove lifecycle
* Update service file Type=notify -> Type=simple
* Add DEBIAN_FRONTEND=noninteractive environment variable
-- Echo <echo@moon-dragon.us> Sat, 03 May 2026 03:15:00 -0500
linux-patch-api (0.3.4-1) unstable; urgency=low
* Fix CI workflow: prevent recursive tag triggers (v* -> v*.*.*)
* Fix CI workflow: upload u2204 deb to same release (no -u2204 suffix)
* Remove sudo from apt commands (service runs as root)
* Remove NoNewPrivileges and RestrictSUIDSGID from systemd service
* Fix dpkg packaging: remove linux-patch-api user creation
* Remove NoNewPrivileges and RestrictSUIDSGID from service file
* Update service file Type=notify -> Type=simple
* Add DEBIAN_FRONTEND=noninteractive environment variable
-- Echo <echo@moon-dragon.us> Fri, 02 May 2026 22:00:00 -0500
-- Echo <echo@moon-dragon.us> Sat, 03 May 2026 03:15:00 -0500
linux-patch-api (0.3.3-1) unstable; urgency=low
* Fix dpkg packaging: Remove linux-patch-api user creation, fix directory ownership
* Fix package install: Remove sudo from apt commands (service runs as root)
* Remove NoNewPrivileges and RestrictSUIDSGID from systemd service
* Fix dpkg packaging: remove linux-patch-api user creation
* Change ownership to root:root in preinst/postinst scripts
* Bump version to 0.3.3
-- Echo <echo@moon-dragon.us> Fri, 02 May 2026 21:45:00 -0500
-- Echo <echo@moon-dragon.us> Sat, 03 May 2026 02:30:00 -0500
linux-patch-api (0.3.2-1) unstable; urgency=low
* Fix package install: Remove sudo from apt commands (service runs as root)
* Fix reboot endpoint: Implement actual system reboot via shutdown/systemctl
* Fix patches handler: Call reboot_system() instead of just logging
* Remove NoNewPrivileges and RestrictSUIDSGID from systemd service
* Add CAP_SYS_BOOT capability to systemd service for LXC reboot support
* Fix dpkg packaging: Remove linux-patch-api user creation, fix directory ownership
* Remove sudo from apt commands in source code
* Remove NoNewPrivileges=true from service file
* Remove RestrictSUIDSGID=true from service file
* Add DEBIAN_FRONTEND=noninteractive to service file
* Fix TLS 1.3 enforcement in mtls.rs
* Add client_disconnect_timeout to main.rs
* Optimize RwLock usage in jobs/manager.rs
* Bump version to 0.3.2
-- Echo <echo@moon-dragon.us> Sat, 02 May 2026 21:25:00 -0500
linux-patch-api (0.3.1-1) unstable; urgency=low
* Fix reboot endpoint: Implement actual system reboot via shutdown/systemctl
* Fix patches handler: Call reboot_system() instead of just logging
* Add CAP_SYS_BOOT capability to systemd service for LXC reboot support
* Remove unused warn import
-- Echo <echo@moon-dragon.us> Sat, 02 May 2026 20:37:00 -0500
linux-patch-api (0.3.0-1) unstable; urgency=low
* v0.3.0 beta release
* Fix List Jobs connection reset: Add client_disconnect_timeout (5s)
* Enforce TLS 1.3 only with builder_with_provider()
* Fix RwLock contention: Release read lock before sorting in list_jobs()
* Fix systemd service: Remove ProtectSystem=strict
* Fix systemd service: Change Type=notify to Type=simple
* Fix systemd service: Add DEBIAN_FRONTEND=noninteractive
* Add Ubuntu 22.04 CI build job
* Add apt-get -f install for broken runner deps
-- Echo <echo@moon-dragon.us> Sat, 02 May 2026 19:55:00 -0500
linux-patch-api (1.0.0-1) stable; urgency=medium
* Initial production release
* Secure mTLS-authenticated REST API for remote package management
* 15 API endpoints for package install/remove, patch application, system management
* Asynchronous job processing with WebSocket status streaming
* IP whitelist enforcement and comprehensive audit logging
* Systemd integration with security hardening
* Supports Debian 11/12, Ubuntu 20.04/22.04/24.04
-- Echo <echo@moon-dragon.us> Thu, 09 Apr 2026 18:57:12 -0500
-- Echo <echo@moon-dragon.us> Fri, 02 May 2026 21:30:00 -0500

19
debian/linux-patch-api/lib/systemd/system/linux-patch-api.service vendored
View File

@ -5,7 +5,8 @@ After=network-online.target
Wants=network-online.target
[Service]
Type=notify
Type=simple
NotifyAccess=all
ExecStart=/usr/bin/linux-patch-api --config /etc/linux_patch_api/config.yaml
Restart=on-failure
RestartSec=5s
@ -16,12 +17,17 @@ RuntimeDirectory=linux-patch-api
RuntimeDirectoryMode=0755
# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
# NOTE: Package management requires extensive system access. The following
# restrictions have been removed because they block core functionality:
# - ProtectSystem=strict: Blocks writes to /usr, /etc, /lib where packages install
# - NoNewPrivileges: Blocks sudo/setuid which apt needs for _apt sandbox
# - RestrictSUIDSGID: Blocks setuid/setgid which apt needs for _apt sandbox
# - CapabilityBoundingSet: Drops capabilities that apt needs (SETUID, SETGID, CHOWN, etc.)
# - AmbientCapabilities: Same issue as CapabilityBoundingSet
# Network security is provided by mTLS + IP whitelist. The service runs as root
# and MUST be able to install/remove/update packages system-wide.
ProtectHome=true
ReadWritePaths=/var/lib/linux_patch_api /var/log/linux_patch_api
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
@ -31,8 +37,6 @@ RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=false
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
# System call filtering (whitelist approach)
SystemCallFilter=@system-service
@ -40,6 +44,7 @@ SystemCallErrorNumber=EPERM
# Environment
Environment="RUST_BACKTRACE=1"
Environment="DEBIAN_FRONTEND=noninteractive"
Environment="RUST_LOG=info"
# Logging