Merge branch 'master' into providermanager-cleanup

7 files changed, 58 insertions, 41 deletions

diff --git a/debian/changelog b/debian/changelog
index 430594cac2..0d744c02a3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+jellyfin-server (10.9.0-1) unstable; urgency=medium
+
+  * New upstream version 10.9.0; release changelog at https://github.com/jellyfin/jellyfin/releases/tag/v10.9.0
+
+ -- Jellyfin Packaging Team <packaging@jellyfin.org>  Wed, 13 Jul 2022 20:58:08 -0600
+
 jellyfin-server (10.8.0-1) unstable; urgency=medium
 
   * Forthcoming stable release
diff --git a/debian/conf/jellyfin-sudoers b/debian/conf/jellyfin-sudoers
index f84e7454ff..795fd17e83 100644
--- a/debian/conf/jellyfin-sudoers
+++ b/debian/conf/jellyfin-sudoers
@@ -30,8 +30,4 @@ Defaults!RESTARTSERVER_INITD !requiretty
 Defaults!STARTSERVER_INITD !requiretty
 Defaults!STOPSERVER_INITD !requiretty
 
-#Allow the server to mount iso images
-jellyfin ALL=(ALL) NOPASSWD: /bin/mount
-jellyfin ALL=(ALL) NOPASSWD: /bin/umount
-
 Defaults:jellyfin !requiretty
diff --git a/debian/conf/jellyfin.service.conf b/debian/conf/jellyfin.service.conf
index 1b69dd74ef..1f92d7d94e 100644
--- a/debian/conf/jellyfin.service.conf
+++ b/debian/conf/jellyfin.service.conf
@@ -3,5 +3,53 @@
 # Use this file to override the user or environment file location.
 
 [Service]
+# Alter the user that Jellyfin runs as
 #User = jellyfin
+
+# Alter where environment variables are sourced from
 #EnvironmentFile = /etc/default/jellyfin
+
+# Service hardening options
+# These were added in PR #6953 to solve issue #6952, but some combination of
+# them causes "restart.sh" functionality to break with the following error:
+#   sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the
+#   'nosuid' option set or an NFS file system without root privileges?
+# See issue #7503 for details on the troubleshooting that went into this.
+# Since these were added for NixOS specifically and are above and beyond
+# what 99% of systemd units do, they have been moved here as optional
+# additional flags to set for maximum system security and can be enabled at
+# the administrator's or package maintainer's discretion.
+# Uncomment these only if you know what you're doing, and doing so may cause
+# bugs with in-server Restart and potentially other functionality as well.
+#NoNewPrivileges=true
+#SystemCallArchitectures=native
+#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+#RestrictNamespaces=false
+#RestrictRealtime=true
+#RestrictSUIDSGID=true
+#ProtectControlGroups=false
+#ProtectHostname=true
+#ProtectKernelLogs=false
+#ProtectKernelModules=false
+#ProtectKernelTunables=false
+#LockPersonality=true
+#PrivateTmp=false
+#PrivateDevices=false
+#PrivateUsers=true
+#RemoveIPC=true
+#SystemCallFilter=~@clock
+#SystemCallFilter=~@aio
+#SystemCallFilter=~@chown
+#SystemCallFilter=~@cpu-emulation
+#SystemCallFilter=~@debug
+#SystemCallFilter=~@keyring
+#SystemCallFilter=~@memlock
+#SystemCallFilter=~@module
+#SystemCallFilter=~@mount
+#SystemCallFilter=~@obsolete
+#SystemCallFilter=~@privileged
+#SystemCallFilter=~@raw-io
+#SystemCallFilter=~@reboot
+#SystemCallFilter=~@setuid
+#SystemCallFilter=~@swap
+#SystemCallErrorNumber=EPERM
diff --git a/debian/control b/debian/control
index da9aa94d4d..dea48d9482 100644
--- a/debian/control
+++ b/debian/control
@@ -22,7 +22,7 @@ Depends: at,
          libsqlite3-0,
          libfontconfig1,
          libfreetype6,
-         libssl1.1
+         libssl1.1 | libssl3
 Recommends: jellyfin-web, sudo
 Description: Jellyfin is the Free Software Media System.
  This package provides the Jellyfin server backend and API.
diff --git a/debian/jellyfin.service b/debian/jellyfin.service
index 064e105373..1150924a08 100644
--- a/debian/jellyfin.service
+++ b/debian/jellyfin.service
@@ -8,43 +8,10 @@ EnvironmentFile = /etc/default/jellyfin
 User = jellyfin
 Group = jellyfin
 WorkingDirectory = /var/lib/jellyfin
-ExecStart = /usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELLYFIN_FFMPEG_OPT} ${JELLYFIN_SERVICE_OPT} ${JELLYFIN_NOWEBAPP_OPT} ${JELLYFIN_ADDITIONAL_OPTS}
+ExecStart = /usr/bin/jellyfin $JELLYFIN_WEB_OPT $JELLYFIN_RESTART_OPT $JELLYFIN_FFMPEG_OPT $JELLYFIN_SERVICE_OPT $JELLYFIN_NOWEBAPP_OPT $JELLYFIN_ADDITIONAL_OPTS
 Restart = on-failure
 TimeoutSec = 15
 SuccessExitStatus=0 143
 
-NoNewPrivileges=true
-SystemCallArchitectures=native
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
-RestrictNamespaces=false
-RestrictRealtime=true
-RestrictSUIDSGID=true
-ProtectControlGroups=false
-ProtectHostname=true
-ProtectKernelLogs=false
-ProtectKernelModules=false
-ProtectKernelTunables=false
-LockPersonality=true
-PrivateTmp=false
-PrivateDevices=false
-PrivateUsers=true
-RemoveIPC=true
-SystemCallFilter=~@clock
-SystemCallFilter=~@aio
-SystemCallFilter=~@chown
-SystemCallFilter=~@cpu-emulation
-SystemCallFilter=~@debug
-SystemCallFilter=~@keyring
-SystemCallFilter=~@memlock
-SystemCallFilter=~@module
-SystemCallFilter=~@mount
-SystemCallFilter=~@obsolete
-SystemCallFilter=~@privileged
-SystemCallFilter=~@raw-io
-SystemCallFilter=~@reboot
-SystemCallFilter=~@setuid
-SystemCallFilter=~@swap
-SystemCallErrorNumber=EPERM
-
 [Install]
 WantedBy = multi-user.target
diff --git a/debian/metapackage/jellyfin b/debian/metapackage/jellyfin
index a9a0ae5b01..8787c3a496 100644
--- a/debian/metapackage/jellyfin
+++ b/debian/metapackage/jellyfin
@@ -5,7 +5,7 @@ Homepage: https://jellyfin.org
 Standards-Version: 3.9.2
 
 Package: jellyfin
-Version: 10.8.0
+Version: 10.9.0
 Maintainer: Jellyfin Packaging Team <packaging@jellyfin.org>
 Depends: jellyfin-server, jellyfin-web
 Description: Provides the Jellyfin Free Software Media System
diff --git a/debian/rules b/debian/rules
index 64e2b48ea8..f55b1807ea 100755
--- a/debian/rules
+++ b/debian/rules
@@ -40,7 +40,7 @@ override_dh_clistrip:
 
 override_dh_auto_build:
 	dotnet publish -maxcpucount:1 --configuration $(CONFIG) --output='$(CURDIR)/usr/lib/jellyfin/bin' --self-contained --runtime $(DOTNETRUNTIME) \
-		"-p:DebugSymbols=false;DebugType=none" Jellyfin.Server
+		-p:DebugSymbols=false -p:DebugType=none Jellyfin.Server
 
 override_dh_auto_clean:
 	dotnet clean -maxcpucount:1 --configuration $(CONFIG) Jellyfin.Server || true