From e2cd6b54f758fdfd0c219259441fac8c841d5c07 Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Sun, 18 Apr 2021 15:56:16 +0530 Subject: [PATCH] Revert "Added some hardening measures to systemd unit files for managing the matrix-synapse service" This reverts commit 0d754ef4cf4a3a697b2c8e002bf3a9ac64af527f. --- debian/matrix-synapse.service | 71 ------------------- .../system/matrix-synapse-worker@.service | 71 ------------------- .../system/matrix-synapse.service | 71 ------------------- 3 files changed, 213 deletions(-) diff --git a/debian/matrix-synapse.service b/debian/matrix-synapse.service index a23accfb33..553babf549 100644 --- a/debian/matrix-synapse.service +++ b/debian/matrix-synapse.service @@ -13,76 +13,5 @@ Restart=always RestartSec=3 SyslogIdentifier=matrix-synapse -# The following directives give the synapse service R/W access to: -# - /run/matrix-synapse -# - /var/lib/matrix-synapse -# - /var/log/matrix-synapse - -RuntimeDirectory=matrix-synapse -StateDirectory=matrix-synapse -LogsDirectory=matrix-synapse - -###################### -## Security Sandbox ## -###################### - -# Make sure that the service has its own unshared tmpfs at /tmp and that it -# cannot see or change any real devices -PrivateTmp=true -PrivateDevices=true - -# We give no capabilities to a service by default -CapabilityBoundingSet= -AmbientCapabilities= - -# Protect the following from modification: -# - The entire filesystem -# - sysctl settings and loaded kernel modules -# - No modifications allowed to Control Groups -# - Hostname -# - System Clock -ProtectSystem=strict -ProtectKernelTunables=true -ProtectKernelModules=true -ProtectControlGroups=true -ProtectClock=true -ProtectHostname=true - -# Prevent access to the following: -# - /home directory -# - Kernel logs -ProtectHome=tmpfs -ProtectKernelLogs=true - -# Make sure that the process can only see PIDs and process details of itself, -# and the second option disables seeing details of things like system load and -# I/O etc -ProtectProc=invisible -ProcSubset=pid - -# While not needed, we set these options explicitly -# - This process has been given access to the host network -# - It can also communicate with any IP Address -PrivateNetwork=false -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -IPAddressAllow=any - -# Restrict system calls to a sane bunch -SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@privileged @resources @obsolete - -# Misc restrictions -# - Since the process is a python process it needs to be able to write and -# execute memory regions, so we set MemoryDenyWriteExecute to false -RestrictSUIDSGID=true -RemoveIPC=true -NoNewPrivileges=true -RestrictRealtime=true -RestrictNamespaces=true -LockPersonality=true -PrivateUsers=true -MemoryDenyWriteExecute=false - [Install] WantedBy=multi-user.target diff --git a/docs/systemd-with-workers/system/matrix-synapse-worker@.service b/docs/systemd-with-workers/system/matrix-synapse-worker@.service index 04189113c4..d164e8ce1f 100644 --- a/docs/systemd-with-workers/system/matrix-synapse-worker@.service +++ b/docs/systemd-with-workers/system/matrix-synapse-worker@.service @@ -22,76 +22,5 @@ Restart=always RestartSec=3 SyslogIdentifier=matrix-synapse-%i -# The following directives give the synapse worker service R/W access to: -# - /run/matrix-synapse -# - /var/lib/matrix-synapse -# - /var/log/matrix-synapse - -RuntimeDirectory=matrix-synapse -StateDirectory=matrix-synapse -LogsDirectory=matrix-synapse - -###################### -## Security Sandbox ## -###################### - -# Make sure that the service has its own unshared tmpfs at /tmp and that it -# cannot see or change any real devices -PrivateTmp=true -PrivateDevices=true - -# We give no capabilities to a service by default -CapabilityBoundingSet= -AmbientCapabilities= - -# Protect the following from modification: -# - The entire filesystem -# - sysctl settings and loaded kernel modules -# - No modifications allowed to Control Groups -# - Hostname -# - System Clock -ProtectSystem=strict -ProtectKernelTunables=true -ProtectKernelModules=true -ProtectControlGroups=true -ProtectClock=true -ProtectHostname=true - -# Prevent access to the following: -# - /home directory -# - Kernel logs -ProtectHome=tmpfs -ProtectKernelLogs=true - -# Make sure that the process can only see PIDs and process details of itself, -# and the second option disables seeing details of things like system load and -# I/O etc -ProtectProc=invisible -ProcSubset=pid - -# While not needed, we set these options explicitly -# - This process has been given access to the host network -# - It can also communicate with any IP Address -PrivateNetwork=false -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -IPAddressAllow=any - -# Restrict system calls to a sane bunch -SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@privileged @resources @obsolete - -# Misc restrictions -# - Since the process is a python process it needs to be able to write and -# execute memory regions -RestrictSUIDSGID=true -RemoveIPC=true -NoNewPrivileges=true -RestrictRealtime=true -RestrictNamespaces=true -LockPersonality=true -PrivateUsers=true -MemoryDenyWriteExecute=false - [Install] WantedBy=matrix-synapse.target diff --git a/docs/systemd-with-workers/system/matrix-synapse.service b/docs/systemd-with-workers/system/matrix-synapse.service index 9ee086f9f9..f6b6dfd3ce 100644 --- a/docs/systemd-with-workers/system/matrix-synapse.service +++ b/docs/systemd-with-workers/system/matrix-synapse.service @@ -18,76 +18,5 @@ Restart=always RestartSec=3 SyslogIdentifier=matrix-synapse -# The following directives give the synapse service R/W access to: -# - /run/matrix-synapse -# - /var/lib/matrix-synapse -# - /var/log/matrix-synapse - -RuntimeDirectory=matrix-synapse -StateDirectory=matrix-synapse -LogsDirectory=matrix-synapse - -###################### -## Security Sandbox ## -###################### - -# Make sure that the service has its own unshared tmpfs at /tmp and that it -# cannot see or change any real devices -PrivateTmp=true -PrivateDevices=true - -# We give no capabilities to a service by default -CapabilityBoundingSet= -AmbientCapabilities= - -# Protect the following from modification: -# - The entire filesystem -# - sysctl settings and loaded kernel modules -# - No modifications allowed to Control Groups -# - Hostname -# - System Clock -ProtectSystem=strict -ProtectKernelTunables=true -ProtectKernelModules=true -ProtectControlGroups=true -ProtectClock=true -ProtectHostname=true - -# Prevent access to the following: -# - /home directory -# - Kernel logs -ProtectHome=tmpfs -ProtectKernelLogs=true - -# Make sure that the process can only see PIDs and process details of itself, -# and the second option disables seeing details of things like system load and -# I/O etc -ProtectProc=invisible -ProcSubset=pid - -# While not needed, we set these options explicitly -# - This process has been given access to the host network -# - It can also communicate with any IP Address -PrivateNetwork=false -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -IPAddressAllow=any - -# Restrict system calls to a sane bunch -SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@privileged @resources @obsolete - -# Misc restrictions -# - Since the process is a python process it needs to be able to write and -# execute memory regions -RestrictSUIDSGID=true -RemoveIPC=true -NoNewPrivileges=true -RestrictRealtime=true -RestrictNamespaces=true -LockPersonality=true -PrivateUsers=true -MemoryDenyWriteExecute=false - [Install] WantedBy=matrix-synapse.target