[arch-general] matrix-synapse "enhanced" security

Uwe Sauter uwe.sauter.de at gmail.com
Thu Nov 18 19:02:23 UTC 2021 

Dear all,


beginning with matrix-synapse 1.44.0-1 in early October a Systemd override file (see below for reference) was included 
to the package that aims to enhance the security of Synapse. Amongst other things it tells Systemd to restrict access to 
certain directories that are seen as defaults.

Unfortunately this enhancement broke my setup by neglecting that there are various paths inside Synapse's configuration 
that can be customized, e.g. media_store_path and uploads_path.
The error I see in my logs is:

2021-11-18 19:54:30,772 - synapse.rest.media.v1.preview_url_resource - 559 - WARNING - expire_url_cache_data-1281 - 
Failed to remove media directory: '/srv/matrix/media_store/url_cache/2021-10-08': [Errno 30] Read-only file system: 
'/srv/matrix/media_store/url_cache/2021-10-08'
2021-11-18 19:54:30,774 - synapse.rest.media.v1.preview_url_resource - 617 - WARNING - expire_url_cache_data-1281 - 
Failed to remove media: '2021-10-08_cgWYZUYMTRBdzskW': [Errno 30] Read-only file system: '800-450-image-jpeg-scale'

It is also impossible to insert pictures into the chat. The client just tells "unable to send message" but no log entry 
is created on the server.


Did I miss any notification about this change?

Can anyone help me with customizing the Systemd override file so that Synapse regains access to media_store_path and 
uploads_path?

Any help is appreciated.


Thank you,

   Uwe



### /usr/lib/systemd/system/synapse.service.d/override-hardened.conf ###
[Service]
# The following directives give the synapse service R/W access to:
# - /run/synapse
# - /var/lib/synapse
# - /var/log/synapse

RuntimeDirectory=synapse
StateDirectory=synapse
LogsDirectory=synapse

######################
## Security Sandbox ##
######################

# Make sure that the service has its own unshared tmpfs at /tmp and that it
# cannot see or change any real devices
PrivateTmp=true
PrivateDevices=true

# We give no capabilities to a service by default
CapabilityBoundingSet=
AmbientCapabilities=

# Protect the following from modification:
# - The entire filesystem
# - sysctl settings and loaded kernel modules
# - No modifications allowed to Control Groups
# - Hostname
# - System Clock
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ProtectClock=true
ProtectHostname=true

# Prevent access to the following:
# - /home directory
# - Kernel logs
ProtectHome=tmpfs
ProtectKernelLogs=true

# Make sure that the process can only see PIDs and process details of itself,
# and the second option disables seeing details of things like system load and
# I/O etc
ProtectProc=invisible
ProcSubset=pid

# While not needed, we set these options explicitly
# - This process has been given access to the host network
# - It can also communicate with any IP Address
PrivateNetwork=false
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
IPAddressAllow=any

# Restrict system calls to a sane bunch
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources @obsolete

# Misc restrictions
# - Since the process is a python process it needs to be able to write and
#   execute memory regions, so we set MemoryDenyWriteExecute to false
RestrictSUIDSGID=true
RemoveIPC=true
NoNewPrivileges=true
RestrictRealtime=true
RestrictNamespaces=true
LockPersonality=true
PrivateUsers=true
MemoryDenyWriteExecute=false
### EOF ###

More information about the arch-general mailing list