1
0

override-hardened.conf 1.9 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071
  1. [Service]
  2. # The following directives give the synapse service R/W access to:
  3. # - /run/matrix-synapse
  4. # - /var/lib/matrix-synapse
  5. # - /var/log/matrix-synapse
  6. RuntimeDirectory=matrix-synapse
  7. StateDirectory=matrix-synapse
  8. LogsDirectory=matrix-synapse
  9. ######################
  10. ## Security Sandbox ##
  11. ######################
  12. # Make sure that the service has its own unshared tmpfs at /tmp and that it
  13. # cannot see or change any real devices
  14. PrivateTmp=true
  15. PrivateDevices=true
  16. # We give no capabilities to a service by default
  17. CapabilityBoundingSet=
  18. AmbientCapabilities=
  19. # Protect the following from modification:
  20. # - The entire filesystem
  21. # - sysctl settings and loaded kernel modules
  22. # - No modifications allowed to Control Groups
  23. # - Hostname
  24. # - System Clock
  25. ProtectSystem=strict
  26. ProtectKernelTunables=true
  27. ProtectKernelModules=true
  28. ProtectControlGroups=true
  29. ProtectClock=true
  30. ProtectHostname=true
  31. # Prevent access to the following:
  32. # - /home directory
  33. # - Kernel logs
  34. ProtectHome=tmpfs
  35. ProtectKernelLogs=true
  36. # Make sure that the process can only see PIDs and process details of itself,
  37. # and the second option disables seeing details of things like system load and
  38. # I/O etc
  39. ProtectProc=invisible
  40. ProcSubset=pid
  41. # While not needed, we set these options explicitly
  42. # - This process has been given access to the host network
  43. # - It can also communicate with any IP Address
  44. PrivateNetwork=false
  45. RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
  46. IPAddressAllow=any
  47. # Restrict system calls to a sane bunch
  48. SystemCallArchitectures=native
  49. SystemCallFilter=@system-service
  50. SystemCallFilter=~@privileged @resources @obsolete
  51. # Misc restrictions
  52. # - Since the process is a python process it needs to be able to write and
  53. # execute memory regions, so we set MemoryDenyWriteExecute to false
  54. RestrictSUIDSGID=true
  55. RemoveIPC=true
  56. NoNewPrivileges=true
  57. RestrictRealtime=true
  58. RestrictNamespaces=true
  59. LockPersonality=true
  60. PrivateUsers=true
  61. MemoryDenyWriteExecute=false