Hardened systemd unit files (#9803)
Signed-off-by: Savyasachee Jha savya.jha@hawkradius.compull/9221/head
parent
ac6bfcd52f
commit
5bba1b4905
|
@ -0,0 +1 @@
|
||||||
|
Add hardened systemd files as proposed in [#9760](https://github.com/matrix-org/synapse/issues/9760) and added them to `contrib/`. Change the docs to reflect the presence of these files.
|
|
@ -0,0 +1,71 @@
|
||||||
|
[Service]
|
||||||
|
# The following directives give the synapse service R/W access to:
|
||||||
|
# - /run/matrix-synapse
|
||||||
|
# - /var/lib/matrix-synapse
|
||||||
|
# - /var/log/matrix-synapse
|
||||||
|
|
||||||
|
RuntimeDirectory=matrix-synapse
|
||||||
|
StateDirectory=matrix-synapse
|
||||||
|
LogsDirectory=matrix-synapse
|
||||||
|
|
||||||
|
######################
|
||||||
|
## Security Sandbox ##
|
||||||
|
######################
|
||||||
|
|
||||||
|
# Make sure that the service has its own unshared tmpfs at /tmp and that it
|
||||||
|
# cannot see or change any real devices
|
||||||
|
PrivateTmp=true
|
||||||
|
PrivateDevices=true
|
||||||
|
|
||||||
|
# We give no capabilities to a service by default
|
||||||
|
CapabilityBoundingSet=
|
||||||
|
AmbientCapabilities=
|
||||||
|
|
||||||
|
# Protect the following from modification:
|
||||||
|
# - The entire filesystem
|
||||||
|
# - sysctl settings and loaded kernel modules
|
||||||
|
# - No modifications allowed to Control Groups
|
||||||
|
# - Hostname
|
||||||
|
# - System Clock
|
||||||
|
ProtectSystem=strict
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
ProtectControlGroups=true
|
||||||
|
ProtectClock=true
|
||||||
|
ProtectHostname=true
|
||||||
|
|
||||||
|
# Prevent access to the following:
|
||||||
|
# - /home directory
|
||||||
|
# - Kernel logs
|
||||||
|
ProtectHome=tmpfs
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
|
||||||
|
# Make sure that the process can only see PIDs and process details of itself,
|
||||||
|
# and the second option disables seeing details of things like system load and
|
||||||
|
# I/O etc
|
||||||
|
ProtectProc=invisible
|
||||||
|
ProcSubset=pid
|
||||||
|
|
||||||
|
# While not needed, we set these options explicitly
|
||||||
|
# - This process has been given access to the host network
|
||||||
|
# - It can also communicate with any IP Address
|
||||||
|
PrivateNetwork=false
|
||||||
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||||
|
IPAddressAllow=any
|
||||||
|
|
||||||
|
# Restrict system calls to a sane bunch
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
SystemCallFilter=@system-service
|
||||||
|
SystemCallFilter=~@privileged @resources @obsolete
|
||||||
|
|
||||||
|
# Misc restrictions
|
||||||
|
# - Since the process is a python process it needs to be able to write and
|
||||||
|
# execute memory regions, so we set MemoryDenyWriteExecute to false
|
||||||
|
RestrictSUIDSGID=true
|
||||||
|
RemoveIPC=true
|
||||||
|
NoNewPrivileges=true
|
||||||
|
RestrictRealtime=true
|
||||||
|
RestrictNamespaces=true
|
||||||
|
LockPersonality=true
|
||||||
|
PrivateUsers=true
|
||||||
|
MemoryDenyWriteExecute=false
|
|
@ -65,3 +65,33 @@ systemctl restart matrix-synapse-worker@federation_reader.service
|
||||||
systemctl enable matrix-synapse-worker@federation_writer.service
|
systemctl enable matrix-synapse-worker@federation_writer.service
|
||||||
systemctl restart matrix-synapse.target
|
systemctl restart matrix-synapse.target
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Hardening
|
||||||
|
|
||||||
|
**Optional:** If further hardening is desired, the file
|
||||||
|
`override-hardened.conf` may be copied from
|
||||||
|
`contrib/systemd/override-hardened.conf` in this repository to the location
|
||||||
|
`/etc/systemd/system/matrix-synapse.service.d/override-hardened.conf` (the
|
||||||
|
directory may have to be created). It enables certain sandboxing features in
|
||||||
|
systemd to further secure the synapse service. You may read the comments to
|
||||||
|
understand what the override file is doing. The same file will need to be copied
|
||||||
|
to
|
||||||
|
`/etc/systemd/system/matrix-synapse-worker@.service.d/override-hardened-worker.conf`
|
||||||
|
(this directory may also have to be created) in order to apply the same
|
||||||
|
hardening options to any worker processes.
|
||||||
|
|
||||||
|
Once these files have been copied to their appropriate locations, simply reload
|
||||||
|
systemd's manager config files and restart all Synapse services to apply the hardening options. They will automatically
|
||||||
|
be applied at every restart as long as the override files are present at the
|
||||||
|
specified locations.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
systemctl daemon-reload
|
||||||
|
|
||||||
|
# Restart services
|
||||||
|
systemctl restart matrix-synapse.target
|
||||||
|
```
|
||||||
|
|
||||||
|
In order to see their effect, you may run `systemd-analyze security
|
||||||
|
matrix-synapse.service` before and after applying the hardening options to see
|
||||||
|
the changes being applied at a glance.
|
||||||
|
|
Loading…
Reference in New Issue