diff options
| -rw-r--r-- | .github/workflows/openapi.yml | 9 | ||||
| -rw-r--r-- | Emby.Server.Implementations/Plugins/PluginManager.cs | 5 | ||||
| -rw-r--r-- | debian/jellyfin.service | 22 |
3 files changed, 32 insertions, 4 deletions
diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml index 6e370819a..ea9188f1b 100644 --- a/.github/workflows/openapi.yml +++ b/.github/workflows/openapi.yml @@ -3,15 +3,19 @@ on: push: branches: - master - pull_request: + pull_request_target: jobs: openapi-head: name: OpenAPI - HEAD runs-on: ubuntu-latest + permissions: read-all steps: - name: Checkout repository uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} - name: Setup .NET Core uses: actions/setup-dotnet@v1 with: @@ -31,6 +35,7 @@ jobs: name: OpenAPI - BASE if: ${{ github.base_ref != '' }} runs-on: ubuntu-latest + permissions: read-all steps: - name: Checkout repository uses: actions/checkout@v2 @@ -53,7 +58,7 @@ jobs: openapi-diff: name: OpenAPI - Difference - if: ${{ github.event_name == 'pull_request' }} + if: ${{ github.event_name == 'pull_request_target' }} runs-on: ubuntu-latest needs: - openapi-head diff --git a/Emby.Server.Implementations/Plugins/PluginManager.cs b/Emby.Server.Implementations/Plugins/PluginManager.cs index d52c0b2a1..d70a15dbc 100644 --- a/Emby.Server.Implementations/Plugins/PluginManager.cs +++ b/Emby.Server.Implementations/Plugins/PluginManager.cs @@ -126,7 +126,8 @@ namespace Emby.Server.Implementations.Plugins { assembly = Assembly.LoadFrom(file); - assembly.GetExportedTypes(); + // Load all required types to verify that the plugin will load + assembly.GetTypes(); } catch (FileLoadException ex) { @@ -134,7 +135,7 @@ namespace Emby.Server.Implementations.Plugins ChangePluginState(plugin, PluginStatus.Malfunctioned); continue; } - catch (TypeLoadException ex) // Undocumented exception + catch (SystemException ex) when (ex is TypeLoadException or ReflectionTypeLoadException) // Undocumented exception { _logger.LogError(ex, "Failed to load assembly {Path}. This error occurs when a plugin references an incompatible version of one of the shared libraries. Disabling plugin.", file); ChangePluginState(plugin, PluginStatus.NotSupported); diff --git a/debian/jellyfin.service b/debian/jellyfin.service index b79cd47c7..e215a8536 100644 --- a/debian/jellyfin.service +++ b/debian/jellyfin.service @@ -10,5 +10,27 @@ ExecStart = /usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELL Restart = on-failure TimeoutSec = 15 +NoNewPrivileges=true +SystemCallArchitectures=native +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +ProtectKernelModules=True +SystemCallFilter=~@clock +SystemCallFilter=~@aio +SystemCallFilter=~@chown +SystemCallFilter=~@cpu-emulation +SystemCallFilter=~@debug +SystemCallFilter=~@keyring +SystemCallFilter=~@memlock +SystemCallFilter=~@module +SystemCallFilter=~@mount +SystemCallFilter=~@obsolete +SystemCallFilter=~@privileged +SystemCallFilter=~@raw-io +SystemCallFilter=~@reboot +SystemCallFilter=~@setuid +SystemCallFilter=~@swap +SystemCallErrorNumber=EPERM + + [Install] WantedBy = multi-user.target |