diff options
author | Savyasachee Jha <savyajha@users.noreply.github.com> | 2021-05-19 16:14:16 +0530 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-05-19 11:44:16 +0100 |
commit | 5bba1b49058a648197f217268a3978d8acf09c51 (patch) | |
tree | 11b548e65244b8465028e4f920ba3f95adebb5bd /docs/systemd-with-workers | |
parent | Refactor checking restricted join rules (#10007) (diff) | |
download | synapse-5bba1b49058a648197f217268a3978d8acf09c51.tar.xz |
Hardened systemd unit files (#9803)
Signed-off-by: Savyasachee Jha savya.jha@hawkradius.com
Diffstat (limited to 'docs/systemd-with-workers')
-rw-r--r-- | docs/systemd-with-workers/README.md | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/docs/systemd-with-workers/README.md b/docs/systemd-with-workers/README.md index cfa36be7b4..a1135e9ed5 100644 --- a/docs/systemd-with-workers/README.md +++ b/docs/systemd-with-workers/README.md @@ -65,3 +65,33 @@ systemctl restart matrix-synapse-worker@federation_reader.service systemctl enable matrix-synapse-worker@federation_writer.service systemctl restart matrix-synapse.target ``` + +## Hardening + +**Optional:** If further hardening is desired, the file +`override-hardened.conf` may be copied from +`contrib/systemd/override-hardened.conf` in this repository to the location +`/etc/systemd/system/matrix-synapse.service.d/override-hardened.conf` (the +directory may have to be created). It enables certain sandboxing features in +systemd to further secure the synapse service. You may read the comments to +understand what the override file is doing. The same file will need to be copied +to +`/etc/systemd/system/matrix-synapse-worker@.service.d/override-hardened-worker.conf` +(this directory may also have to be created) in order to apply the same +hardening options to any worker processes. + +Once these files have been copied to their appropriate locations, simply reload +systemd's manager config files and restart all Synapse services to apply the hardening options. They will automatically +be applied at every restart as long as the override files are present at the +specified locations. + +```sh +systemctl daemon-reload + +# Restart services +systemctl restart matrix-synapse.target +``` + +In order to see their effect, you may run `systemd-analyze security +matrix-synapse.service` before and after applying the hardening options to see +the changes being applied at a glance. |