Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Hardened systemd unit files #9803

Merged
merged 20 commits into from
May 19, 2021
Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
0d754ef
Added some hardening measures to systemd unit files for managing the …
savyajha Apr 13, 2021
5be9e61
Added changelog
savyajha Apr 13, 2021
1de1225
Changed the changelog extension to correct one
savyajha Apr 13, 2021
f70c7aa
Added change to debian changelog
savyajha Apr 13, 2021
bfc0819
Added full stop to the end of changelog line
savyajha Apr 13, 2021
2a3b358
Renamed changelog file to correct pull request number
savyajha Apr 13, 2021
84fad5e
Update debian/matrix-synapse.service to match ordering in documentation
savyajha Apr 14, 2021
006576f
Revert "Update debian/matrix-synapse.service to match ordering in doc…
savyajha Apr 18, 2021
6783198
Revert "Renamed changelog file to correct pull request number"
savyajha Apr 18, 2021
df647d6
Revert "Added full stop to the end of changelog line"
savyajha Apr 18, 2021
2978ae1
Revert "Added change to debian changelog"
savyajha Apr 18, 2021
83d2f62
Revert "Changed the changelog extension to correct one"
savyajha Apr 18, 2021
8832e04
Revert "Added changelog"
savyajha Apr 18, 2021
e2cd6b5
Revert "Added some hardening measures to systemd unit files for manag…
savyajha Apr 18, 2021
12d1307
Made changes as requested in PR discussion and added a mention of har…
savyajha Apr 18, 2021
585ae38
Apply suggestions from code review by anoadragon453
savyajha May 18, 2021
ad8e2cc
Update changelog.d/9802.doc with a link to the actual issue
savyajha May 18, 2021
a36d1ec
Removed duplicate file for hardening systemd workers and updated the …
savyajha May 18, 2021
c891774
Apply suggestions from code review
anoadragon453 May 18, 2021
4d3d5dd
Fix changelog number
anoadragon453 May 18, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions debian/changelog
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
matrix-synapse-py3 (1.31.0+nmu1) UNRELEASED; urgency=medium

* Skip tests when DEB_BUILD_OPTIONS contains "nocheck".
* Harden the systemd unit file

-- Dan Callahan <danc@element.io> Mon, 12 Apr 2021 13:07:36 +0000

Expand Down
71 changes: 71 additions & 0 deletions debian/matrix-synapse.service
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,76 @@ Restart=always
RestartSec=3
SyslogIdentifier=matrix-synapse

# The following directives give the synapse service R/W access to:
# - /run/matrix-synapse
# - /var/lib/matrix-synapse
# - /var/log/matrix-synapse

RuntimeDirectory=matrix-synapse
StateDirectory=matrix-synapse
LogsDirectory=matrix-synapse

######################
## Security Sandbox ##
######################

# Make sure that the service has its own unshared tmpfs at /tmp and that it
# cannot see or change any real devices
PrivateTmp=true
PrivateDevices=true

# We give no capabilities to a service by default
CapabilityBoundingSet=
AmbientCapabilities=

# Protect the following from modification:
# - The entire filesystem
# - sysctl settings and loaded kernel modules
# - No modifications allowed to Control Groups
# - Hostname
# - System Clock
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ProtectClock=true
ProtectHostname=true
savyajha marked this conversation as resolved.
Show resolved Hide resolved

# Prevent access to the following:
# - /home directory
# - Kernel logs
ProtectHome=tmpfs
ProtectKernelLogs=true

# Make sure that the process can only see PIDs and process details of itself,
# and the second option disables seeing details of things like system load and
# I/O etc
ProtectProc=invisible
ProcSubset=pid

# While not needed, we set these options explicitly
# - This process has been given access to the host network
# - It can also communicate with any IP Address
PrivateNetwork=false
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
IPAddressAllow=any

# Restrict system calls to a sane bunch
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources @obsolete

# Misc restrictions
# - Since the process is a python process it needs to be able to write and
# execute memory regions, so we set MemoryDenyWriteExecute to false
RestrictSUIDSGID=true
RemoveIPC=true
NoNewPrivileges=true
RestrictRealtime=true
RestrictNamespaces=true
LockPersonality=true
PrivateUsers=true
MemoryDenyWriteExecute=false

[Install]
WantedBy=multi-user.target
71 changes: 71 additions & 0 deletions docs/systemd-with-workers/system/matrix-synapse-worker@.service
Original file line number Diff line number Diff line change
Expand Up @@ -22,5 +22,76 @@ Restart=always
RestartSec=3
SyslogIdentifier=matrix-synapse-%i

# The following directives give the synapse worker service R/W access to:
# - /run/matrix-synapse
# - /var/lib/matrix-synapse
# - /var/log/matrix-synapse

RuntimeDirectory=matrix-synapse
StateDirectory=matrix-synapse
LogsDirectory=matrix-synapse

######################
## Security Sandbox ##
######################

# Make sure that the service has its own unshared tmpfs at /tmp and that it
# cannot see or change any real devices
PrivateTmp=true
PrivateDevices=true

# We give no capabilities to a service by default
CapabilityBoundingSet=
AmbientCapabilities=

# Protect the following from modification:
# - The entire filesystem
# - sysctl settings and loaded kernel modules
# - No modifications allowed to Control Groups
# - Hostname
# - System Clock
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ProtectClock=true
ProtectHostname=true

# Prevent access to the following:
# - /home directory
# - Kernel logs
ProtectHome=tmpfs
ProtectKernelLogs=true

# Make sure that the process can only see PIDs and process details of itself,
# and the second option disables seeing details of things like system load and
# I/O etc
ProtectProc=invisible
ProcSubset=pid

# While not needed, we set these options explicitly
# - This process has been given access to the host network
# - It can also communicate with any IP Address
PrivateNetwork=false
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
IPAddressAllow=any

# Restrict system calls to a sane bunch
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources @obsolete

# Misc restrictions
# - Since the process is a python process it needs to be able to write and
# execute memory regions
RestrictSUIDSGID=true
RemoveIPC=true
NoNewPrivileges=true
RestrictRealtime=true
RestrictNamespaces=true
LockPersonality=true
PrivateUsers=true
MemoryDenyWriteExecute=false

[Install]
WantedBy=matrix-synapse.target
71 changes: 71 additions & 0 deletions docs/systemd-with-workers/system/matrix-synapse.service
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,76 @@ Restart=always
RestartSec=3
SyslogIdentifier=matrix-synapse

# The following directives give the synapse service R/W access to:
# - /run/matrix-synapse
# - /var/lib/matrix-synapse
# - /var/log/matrix-synapse

RuntimeDirectory=matrix-synapse
StateDirectory=matrix-synapse
LogsDirectory=matrix-synapse

######################
## Security Sandbox ##
######################

# Make sure that the service has its own unshared tmpfs at /tmp and that it
# cannot see or change any real devices
PrivateTmp=true
PrivateDevices=true

# We give no capabilities to a service by default
CapabilityBoundingSet=
AmbientCapabilities=

# Protect the following from modification:
# - The entire filesystem
# - sysctl settings and loaded kernel modules
# - No modifications allowed to Control Groups
# - Hostname
# - System Clock
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ProtectClock=true
ProtectHostname=true

# Prevent access to the following:
# - /home directory
# - Kernel logs
ProtectHome=tmpfs
ProtectKernelLogs=true

# Make sure that the process can only see PIDs and process details of itself,
# and the second option disables seeing details of things like system load and
# I/O etc
ProtectProc=invisible
ProcSubset=pid

# While not needed, we set these options explicitly
# - This process has been given access to the host network
# - It can also communicate with any IP Address
PrivateNetwork=false
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
IPAddressAllow=any

# Restrict system calls to a sane bunch
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources @obsolete

# Misc restrictions
# - Since the process is a python process it needs to be able to write and
# execute memory regions
RestrictSUIDSGID=true
RemoveIPC=true
NoNewPrivileges=true
RestrictRealtime=true
RestrictNamespaces=true
LockPersonality=true
PrivateUsers=true
MemoryDenyWriteExecute=false

[Install]
WantedBy=matrix-synapse.target