[arch-commits] Commit in matrix-synapse/trunk (PKGBUILD override-hardened.conf)

Wed Oct 6 15:00:54 UTC 2021

Date: Wednesday, October 6, 2021 @ 15:00:53
  Author: alex19ep
Revision: 1027851

upgpkg: matrix-synapse 1.44.0-2

add override-hardened.conf                                                                                                                               

Added:
  matrix-synapse/trunk/override-hardened.conf
Modified:
  matrix-synapse/trunk/PKGBUILD

------------------------+
 PKGBUILD               |    2 -
 override-hardened.conf |   71 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+), 1 deletion(-)

Modified: PKGBUILD
===================================================================

--- PKGBUILD	2021-10-06 13:52:23 UTC (rev 1027850)
+++ PKGBUILD	2021-10-06 15:00:53 UTC (rev 1027851)
@@ -4,7 +4,7 @@
 
 pkgname=matrix-synapse
 pkgver=1.44.0
-pkgrel=1
+pkgrel=2
 pkgdesc="Matrix reference homeserver"
 url="https://github.com/matrix-org/synapse"
 arch=('any')

Added: override-hardened.conf
===================================================================
--- override-hardened.conf	                        (rev 0)
+++ override-hardened.conf	2021-10-06 15:00:53 UTC (rev 1027851)
@@ -0,0 +1,71 @@
+[Service]
+# The following directives give the synapse service R/W access to:
+# - /run/synapse
+# - /var/lib/synapse
+# - /var/log/synapse
+
+RuntimeDirectory=synapse
+StateDirectory=synapse
+LogsDirectory=synapse
+
+######################
+## Security Sandbox ##
+######################
+
+# Make sure that the service has its own unshared tmpfs at /tmp and that it
+# cannot see or change any real devices
+PrivateTmp=true
+PrivateDevices=true
+
+# We give no capabilities to a service by default
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Protect the following from modification:
+# - The entire filesystem
+# - sysctl settings and loaded kernel modules
+# - No modifications allowed to Control Groups
+# - Hostname
+# - System Clock
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+ProtectClock=true
+ProtectHostname=true
+
+# Prevent access to the following:
+# - /home directory
+# - Kernel logs
+ProtectHome=tmpfs
+ProtectKernelLogs=true
+
+# Make sure that the process can only see PIDs and process details of itself,
+# and the second option disables seeing details of things like system load and
+# I/O etc
+ProtectProc=invisible
+ProcSubset=pid
+
+# While not needed, we set these options explicitly
+# - This process has been given access to the host network
+# - It can also communicate with any IP Address
+PrivateNetwork=false
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+IPAddressAllow=any
+
+# Restrict system calls to a sane bunch
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources @obsolete
+
+# Misc restrictions
+# - Since the process is a python process it needs to be able to write and
+#   execute memory regions, so we set MemoryDenyWriteExecute to false
+RestrictSUIDSGID=true
+RemoveIPC=true
+NoNewPrivileges=true
+RestrictRealtime=true
+RestrictNamespaces=true
+LockPersonality=true
+PrivateUsers=true
+MemoryDenyWriteExecute=false

