diff options
| -rw-r--r-- | NEWS | 5 | ||||
| -rw-r--r-- | src/LogInit.cxx | 2 | ||||
| -rw-r--r-- | src/queue/Queue.cxx | 7 | ||||
| -rw-r--r-- | systemd/mpd.service.in | 9 |
4 files changed, 18 insertions, 5 deletions
@@ -59,7 +59,9 @@ ver 0.20 (not yet released) * switch the code base to C++14 - GCC 4.9 or clang 3.4 (or newer) recommended -ver 0.19.20 (not yet released) +ver 0.19.20 (2016/12/09) +* protocol + - "setprio" re-enqueues old song if priority has been raised * decoder - ffmpeg: ignore empty packets - pcm: fix corruption bug with partial frames (after short read) @@ -67,6 +69,7 @@ ver 0.19.20 (not yet released) * output - winmm: fix 8 bit playback * fix gcc 7.0 -Wimplicit-fallthrough +* systemd: paranoid security settings ver 0.19.19 (2016/08/23) * decoder diff --git a/src/LogInit.cxx b/src/LogInit.cxx index 705bae8f3..12d9ea9a9 100644 --- a/src/LogInit.cxx +++ b/src/LogInit.cxx @@ -45,7 +45,7 @@ static constexpr Domain log_domain("log"); #ifndef ANDROID -static int out_fd; +static int out_fd = -1; static AllocatedPath out_path = AllocatedPath::Null(); static void redirect_logs(int fd) diff --git a/src/queue/Queue.cxx b/src/queue/Queue.cxx index f42b1763e..3e2b0d74c 100644 --- a/src/queue/Queue.cxx +++ b/src/queue/Queue.cxx @@ -427,14 +427,15 @@ Queue::SetPriority(unsigned position, uint8_t priority, int after_order, if (_order < (unsigned)after_order) { /* the specified song has been played already - - enqueue it only if its priority has just - become bigger than the current one's */ + - enqueue it only if its priority has been + increased and is now bigger than the + current one's */ const unsigned after_position = OrderToPosition(after_order); const Item *after_item = &items[after_position]; - if (old_priority > after_item->priority || + if (priority <= old_priority || priority <= after_item->priority) /* priority hasn't become bigger */ return true; diff --git a/systemd/mpd.service.in b/systemd/mpd.service.in index f48c0f0e4..7b0218bf2 100644 --- a/systemd/mpd.service.in +++ b/systemd/mpd.service.in @@ -14,6 +14,15 @@ LimitRTTIME=infinity # disallow writing to /usr, /bin, /sbin, ... ProtectSystem=yes +# more paranoid security settings +NoNewPrivileges=yes +ProtectKernelTunables=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh* +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK +RestrictNamespaces=yes + [Install] WantedBy=multi-user.target Also=mpd.socket |