diff --git a/contrib/systemd-with-workers/override-hardened-workers.conf b/contrib/systemd-with-workers/override-hardened-workers.conf deleted file mode 100644 index b2fa3ae7c5..0000000000 --- a/contrib/systemd-with-workers/override-hardened-workers.conf +++ /dev/null @@ -1,71 +0,0 @@ -[Service] -# The following directives give the synapse service R/W access to: -# - /run/matrix-synapse -# - /var/lib/matrix-synapse -# - /var/log/matrix-synapse - -RuntimeDirectory=matrix-synapse -StateDirectory=matrix-synapse -LogsDirectory=matrix-synapse - -###################### -## Security Sandbox ## -###################### - -# Make sure that the service has its own unshared tmpfs at /tmp and that it -# cannot see or change any real devices -PrivateTmp=true -PrivateDevices=true - -# We give no capabilities to a service by default -CapabilityBoundingSet= -AmbientCapabilities= - -# Protect the following from modification: -# - The entire filesystem -# - sysctl settings and loaded kernel modules -# - No modifications allowed to Control Groups -# - Hostname -# - System Clock -ProtectSystem=strict -ProtectKernelTunables=true -ProtectKernelModules=true -ProtectControlGroups=true -ProtectClock=true -ProtectHostname=true - -# Prevent access to the following: -# - /home directory -# - Kernel logs -ProtectHome=tmpfs -ProtectKernelLogs=true - -# Make sure that the process can only see PIDs and process details of itself, -# and the second option disables seeing details of things like system load and -# I/O etc -ProtectProc=invisible -ProcSubset=pid - -# While not needed, we set these options explicitly -# - This process has been given access to the host network -# - It can also communicate with any IP Address -PrivateNetwork=false -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -IPAddressAllow=any - -# Restrict system calls to a sane bunch -SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@privileged @resources @obsolete - -# Misc restrictions -# - Since the process is a python process it needs to be able to write and -# execute memory regions, so we set MemoryDenyWriteExecute to false -RestrictSUIDSGID=true -RemoveIPC=true -NoNewPrivileges=true -RestrictRealtime=true -RestrictNamespaces=true -LockPersonality=true -PrivateUsers=true -MemoryDenyWriteExecute=false diff --git a/docs/systemd-with-workers/README.md b/docs/systemd-with-workers/README.md index 074e1ead57..19ac1a3306 100644 --- a/docs/systemd-with-workers/README.md +++ b/docs/systemd-with-workers/README.md @@ -74,8 +74,8 @@ systemctl restart matrix-synapse.target `/etc/systemd/system/matrix-synapse.service.d/override-hardened.conf` (the directory may have to be created). It enables certain sandboxing features in systemd to further secure the synapse service. You may read the comments to -understand what the override file is doing. A similar override file at -`contrib/systemd-with-workers/override-hardened-worker.conf` may be copied to +understand what the override file is doing. The same file at may also be copied +to `/etc/systemd/system/matrix-synapse-worker@.service.d/override-hardened-worker.conf` (this directory may also have to be created) in order to apply the same hardening options to any worker processes. @@ -88,12 +88,8 @@ specified locations. ```sh systemctl daemon-reload -# Restart the master -systemctl restart matrix-synapse.service - -# If using a worker-based setup, restart the workers too. -# To restart a specific worker (eg. federation_reader): -systemctl restart matrix-synapse-worker@federation_reader.service +# Restart the services +systemctl restart matrix-synapse.target ``` In order to see their effect, you may run `systemd-analyze security