anonymousland-synapse/contrib/systemd/override-hardened.conf

[Service]
# The following directives give the synapse service R/W access to:
# - /run/matrix-synapse
# - /var/lib/matrix-synapse
# - /var/log/matrix-synapse

RuntimeDirectory=matrix-synapse
StateDirectory=matrix-synapse
LogsDirectory=matrix-synapse

######################
## Security Sandbox ##
######################

# Make sure that the service has its own unshared tmpfs at /tmp and that it
# cannot see or change any real devices
PrivateTmp=true
PrivateDevices=true

# We give no capabilities to a service by default
CapabilityBoundingSet=
AmbientCapabilities=

# Protect the following from modification:
# - The entire filesystem
# - sysctl settings and loaded kernel modules
# - No modifications allowed to Control Groups
# - Hostname
# - System Clock
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ProtectClock=true
ProtectHostname=true

# Prevent access to the following:
# - /home directory
# - Kernel logs
ProtectHome=tmpfs
ProtectKernelLogs=true

# Make sure that the process can only see PIDs and process details of itself,
# and the second option disables seeing details of things like system load and
# I/O etc
ProtectProc=invisible
ProcSubset=pid

# While not needed, we set these options explicitly
# - This process has been given access to the host network
# - It can also communicate with any IP Address
PrivateNetwork=false
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
IPAddressAllow=any

# Restrict system calls to a sane bunch
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources @obsolete

# Misc restrictions
# - Since the process is a python process it needs to be able to write and
#   execute memory regions, so we set MemoryDenyWriteExecute to false
RestrictSUIDSGID=true
RemoveIPC=true
NoNewPrivileges=true
RestrictRealtime=true
RestrictNamespaces=true
LockPersonality=true
PrivateUsers=true
MemoryDenyWriteExecute=false
Hardened systemd unit files (#9803) Signed-off-by: Savyasachee Jha savya.jha@hawkradius.com 2021-05-19 06:44:16 -04:00			`[Service]`
			`# The following directives give the synapse service R/W access to:`
			`# - /run/matrix-synapse`
			`# - /var/lib/matrix-synapse`
			`# - /var/log/matrix-synapse`

			`RuntimeDirectory=matrix-synapse`
			`StateDirectory=matrix-synapse`
			`LogsDirectory=matrix-synapse`

			`######################`
			`## Security Sandbox ##`
			`######################`

			`# Make sure that the service has its own unshared tmpfs at /tmp and that it`
			`# cannot see or change any real devices`
			`PrivateTmp=true`
			`PrivateDevices=true`

			`# We give no capabilities to a service by default`
			`CapabilityBoundingSet=`
			`AmbientCapabilities=`

			`# Protect the following from modification:`
			`# - The entire filesystem`
			`# - sysctl settings and loaded kernel modules`
			`# - No modifications allowed to Control Groups`
			`# - Hostname`
			`# - System Clock`
			`ProtectSystem=strict`
			`ProtectKernelTunables=true`
			`ProtectKernelModules=true`
			`ProtectControlGroups=true`
			`ProtectClock=true`
			`ProtectHostname=true`

			`# Prevent access to the following:`
			`# - /home directory`
			`# - Kernel logs`
			`ProtectHome=tmpfs`
			`ProtectKernelLogs=true`

			`# Make sure that the process can only see PIDs and process details of itself,`
			`# and the second option disables seeing details of things like system load and`
			`# I/O etc`
			`ProtectProc=invisible`
			`ProcSubset=pid`

			`# While not needed, we set these options explicitly`
			`# - This process has been given access to the host network`
			`# - It can also communicate with any IP Address`
			`PrivateNetwork=false`
			`RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX`
			`IPAddressAllow=any`

			`# Restrict system calls to a sane bunch`
			`SystemCallArchitectures=native`
			`SystemCallFilter=@system-service`
			`SystemCallFilter=~@privileged @resources @obsolete`

			`# Misc restrictions`
			`# - Since the process is a python process it needs to be able to write and`
			`# execute memory regions, so we set MemoryDenyWriteExecute to false`
			`RestrictSUIDSGID=true`
			`RemoveIPC=true`
			`NoNewPrivileges=true`
			`RestrictRealtime=true`
			`RestrictNamespaces=true`
			`LockPersonality=true`
			`PrivateUsers=true`
			`MemoryDenyWriteExecute=false`