diff options
| author | Savyasachee Jha <genghizkhan91@hawkradius.com> | 2021-04-18 15:56:16 +0530 |
|---|---|---|
| committer | Savyasachee Jha <genghizkhan91@hawkradius.com> | 2021-04-18 15:56:16 +0530 |
| commit | e2cd6b54f758fdfd0c219259441fac8c841d5c07 (patch) | |
| tree | a20c312c2953d1e53b27df36bd5d17c8b9f88ef4 | |
| parent | Revert "Added changelog" (diff) | |
| download | synapse-e2cd6b54f758fdfd0c219259441fac8c841d5c07.tar.xz | |
Revert "Added some hardening measures to systemd unit files for managing the matrix-synapse service"
This reverts commit 0d754ef4cf4a3a697b2c8e002bf3a9ac64af527f.
| -rw-r--r-- | debian/matrix-synapse.service | 71 | ||||
| -rw-r--r-- | docs/systemd-with-workers/system/matrix-synapse-worker@.service | 71 | ||||
| -rw-r--r-- | docs/systemd-with-workers/system/matrix-synapse.service | 71 |
3 files changed, 0 insertions, 213 deletions
diff --git a/debian/matrix-synapse.service b/debian/matrix-synapse.service index a23accfb33..553babf549 100644 --- a/debian/matrix-synapse.service +++ b/debian/matrix-synapse.service @@ -13,76 +13,5 @@ Restart=always RestartSec=3 SyslogIdentifier=matrix-synapse -# The following directives give the synapse service R/W access to: -# - /run/matrix-synapse -# - /var/lib/matrix-synapse -# - /var/log/matrix-synapse - -RuntimeDirectory=matrix-synapse -StateDirectory=matrix-synapse -LogsDirectory=matrix-synapse - -###################### -## Security Sandbox ## -###################### - -# Make sure that the service has its own unshared tmpfs at /tmp and that it -# cannot see or change any real devices -PrivateTmp=true -PrivateDevices=true - -# We give no capabilities to a service by default -CapabilityBoundingSet= -AmbientCapabilities= - -# Protect the following from modification: -# - The entire filesystem -# - sysctl settings and loaded kernel modules -# - No modifications allowed to Control Groups -# - Hostname -# - System Clock -ProtectSystem=strict -ProtectKernelTunables=true -ProtectKernelModules=true -ProtectControlGroups=true -ProtectClock=true -ProtectHostname=true - -# Prevent access to the following: -# - /home directory -# - Kernel logs -ProtectHome=tmpfs -ProtectKernelLogs=true - -# Make sure that the process can only see PIDs and process details of itself, -# and the second option disables seeing details of things like system load and -# I/O etc -ProtectProc=invisible -ProcSubset=pid - -# While not needed, we set these options explicitly -# - This process has been given access to the host network -# - It can also communicate with any IP Address -PrivateNetwork=false -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -IPAddressAllow=any - -# Restrict system calls to a sane bunch -SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@privileged @resources @obsolete - -# Misc restrictions -# - Since the process is a python process it needs to be able to write and -# execute memory regions, so we set MemoryDenyWriteExecute to false -RestrictSUIDSGID=true -RemoveIPC=true -NoNewPrivileges=true -RestrictRealtime=true -RestrictNamespaces=true -LockPersonality=true -PrivateUsers=true -MemoryDenyWriteExecute=false - [Install] WantedBy=multi-user.target diff --git a/docs/systemd-with-workers/system/matrix-synapse-worker@.service b/docs/systemd-with-workers/system/matrix-synapse-worker@.service index 04189113c4..d164e8ce1f 100644 --- a/docs/systemd-with-workers/system/matrix-synapse-worker@.service +++ b/docs/systemd-with-workers/system/matrix-synapse-worker@.service @@ -22,76 +22,5 @@ Restart=always RestartSec=3 SyslogIdentifier=matrix-synapse-%i -# The following directives give the synapse worker service R/W access to: -# - /run/matrix-synapse -# - /var/lib/matrix-synapse -# - /var/log/matrix-synapse - -RuntimeDirectory=matrix-synapse -StateDirectory=matrix-synapse -LogsDirectory=matrix-synapse - -###################### -## Security Sandbox ## -###################### - -# Make sure that the service has its own unshared tmpfs at /tmp and that it -# cannot see or change any real devices -PrivateTmp=true -PrivateDevices=true - -# We give no capabilities to a service by default -CapabilityBoundingSet= -AmbientCapabilities= - -# Protect the following from modification: -# - The entire filesystem -# - sysctl settings and loaded kernel modules -# - No modifications allowed to Control Groups -# - Hostname -# - System Clock -ProtectSystem=strict -ProtectKernelTunables=true -ProtectKernelModules=true -ProtectControlGroups=true -ProtectClock=true -ProtectHostname=true - -# Prevent access to the following: -# - /home directory -# - Kernel logs -ProtectHome=tmpfs -ProtectKernelLogs=true - -# Make sure that the process can only see PIDs and process details of itself, -# and the second option disables seeing details of things like system load and -# I/O etc -ProtectProc=invisible -ProcSubset=pid - -# While not needed, we set these options explicitly -# - This process has been given access to the host network -# - It can also communicate with any IP Address -PrivateNetwork=false -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -IPAddressAllow=any - -# Restrict system calls to a sane bunch -SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@privileged @resources @obsolete - -# Misc restrictions -# - Since the process is a python process it needs to be able to write and -# execute memory regions -RestrictSUIDSGID=true -RemoveIPC=true -NoNewPrivileges=true -RestrictRealtime=true -RestrictNamespaces=true -LockPersonality=true -PrivateUsers=true -MemoryDenyWriteExecute=false - [Install] WantedBy=matrix-synapse.target diff --git a/docs/systemd-with-workers/system/matrix-synapse.service b/docs/systemd-with-workers/system/matrix-synapse.service index 9ee086f9f9..f6b6dfd3ce 100644 --- a/docs/systemd-with-workers/system/matrix-synapse.service +++ b/docs/systemd-with-workers/system/matrix-synapse.service @@ -18,76 +18,5 @@ Restart=always RestartSec=3 SyslogIdentifier=matrix-synapse -# The following directives give the synapse service R/W access to: -# - /run/matrix-synapse -# - /var/lib/matrix-synapse -# - /var/log/matrix-synapse - -RuntimeDirectory=matrix-synapse -StateDirectory=matrix-synapse -LogsDirectory=matrix-synapse - -###################### -## Security Sandbox ## -###################### - -# Make sure that the service has its own unshared tmpfs at /tmp and that it -# cannot see or change any real devices -PrivateTmp=true -PrivateDevices=true - -# We give no capabilities to a service by default -CapabilityBoundingSet= -AmbientCapabilities= - -# Protect the following from modification: -# - The entire filesystem -# - sysctl settings and loaded kernel modules -# - No modifications allowed to Control Groups -# - Hostname -# - System Clock -ProtectSystem=strict -ProtectKernelTunables=true -ProtectKernelModules=true -ProtectControlGroups=true -ProtectClock=true -ProtectHostname=true - -# Prevent access to the following: -# - /home directory -# - Kernel logs -ProtectHome=tmpfs -ProtectKernelLogs=true - -# Make sure that the process can only see PIDs and process details of itself, -# and the second option disables seeing details of things like system load and -# I/O etc -ProtectProc=invisible -ProcSubset=pid - -# While not needed, we set these options explicitly -# - This process has been given access to the host network -# - It can also communicate with any IP Address -PrivateNetwork=false -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -IPAddressAllow=any - -# Restrict system calls to a sane bunch -SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@privileged @resources @obsolete - -# Misc restrictions -# - Since the process is a python process it needs to be able to write and -# execute memory regions -RestrictSUIDSGID=true -RemoveIPC=true -NoNewPrivileges=true -RestrictRealtime=true -RestrictNamespaces=true -LockPersonality=true -PrivateUsers=true -MemoryDenyWriteExecute=false - [Install] WantedBy=matrix-synapse.target |