[arch-commits] Commit in matrix-synapse/trunk (PKGBUILD override-hardened.conf)
Alexander Epaneshnikov
alex19ep at gemini.archlinux.org
Wed Oct 6 15:00:54 UTC 2021
Date: Wednesday, October 6, 2021 @ 15:00:53
Author: alex19ep
Revision: 1027851
upgpkg: matrix-synapse 1.44.0-2
add override-hardened.conf
Added:
matrix-synapse/trunk/override-hardened.conf
Modified:
matrix-synapse/trunk/PKGBUILD
------------------------+
PKGBUILD | 2 -
override-hardened.conf | 71 +++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 72 insertions(+), 1 deletion(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2021-10-06 13:52:23 UTC (rev 1027850)
+++ PKGBUILD 2021-10-06 15:00:53 UTC (rev 1027851)
@@ -4,7 +4,7 @@
pkgname=matrix-synapse
pkgver=1.44.0
-pkgrel=1
+pkgrel=2
pkgdesc="Matrix reference homeserver"
url="https://github.com/matrix-org/synapse"
arch=('any')
Added: override-hardened.conf
===================================================================
--- override-hardened.conf (rev 0)
+++ override-hardened.conf 2021-10-06 15:00:53 UTC (rev 1027851)
@@ -0,0 +1,71 @@
+[Service]
+# The following directives give the synapse service R/W access to:
+# - /run/synapse
+# - /var/lib/synapse
+# - /var/log/synapse
+
+RuntimeDirectory=synapse
+StateDirectory=synapse
+LogsDirectory=synapse
+
+######################
+## Security Sandbox ##
+######################
+
+# Make sure that the service has its own unshared tmpfs at /tmp and that it
+# cannot see or change any real devices
+PrivateTmp=true
+PrivateDevices=true
+
+# We give no capabilities to a service by default
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Protect the following from modification:
+# - The entire filesystem
+# - sysctl settings and loaded kernel modules
+# - No modifications allowed to Control Groups
+# - Hostname
+# - System Clock
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+ProtectClock=true
+ProtectHostname=true
+
+# Prevent access to the following:
+# - /home directory
+# - Kernel logs
+ProtectHome=tmpfs
+ProtectKernelLogs=true
+
+# Make sure that the process can only see PIDs and process details of itself,
+# and the second option disables seeing details of things like system load and
+# I/O etc
+ProtectProc=invisible
+ProcSubset=pid
+
+# While not needed, we set these options explicitly
+# - This process has been given access to the host network
+# - It can also communicate with any IP Address
+PrivateNetwork=false
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+IPAddressAllow=any
+
+# Restrict system calls to a sane bunch
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources @obsolete
+
+# Misc restrictions
+# - Since the process is a python process it needs to be able to write and
+# execute memory regions, so we set MemoryDenyWriteExecute to false
+RestrictSUIDSGID=true
+RemoveIPC=true
+NoNewPrivileges=true
+RestrictRealtime=true
+RestrictNamespaces=true
+LockPersonality=true
+PrivateUsers=true
+MemoryDenyWriteExecute=false
More information about the arch-commits
mailing list