Move service hardening into the Debian packaging

Signed-off-by: Jörg Behrmann <[email protected]>
matrix-org · Aug 22, 2022 · 42ea892 · 42ea892
1 parent 13bc29f
commit 42ea892
Show file tree

Hide file tree

Showing 4 changed files with 126 additions and 101 deletions.
diff --git a/contrib/systemd/override-hardened.conf b/contrib/systemd/override-hardened.conf
diff --git a/debian/[email protected] b/debian/[email protected]
@@ -13,14 +13,77 @@ After=matrix-synapse.service
 [Service]
 Type=notify
 NotifyAccess=main
+
 User=matrix-synapse
 WorkingDirectory=/var/lib/matrix-synapse
+RuntimeDirectory=matrix-synapse
+StateDirectory=matrix-synapse
+LogsDirectory=matrix-synapse
 EnvironmentFile=-/etc/default/matrix-synapse
 ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.generic_worker --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --config-path=/etc/matrix-synapse/workers/%i.yaml
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=always
 RestartSec=3
 SyslogIdentifier=matrix-synapse-%i
 
+## Hardening
+# Make sure that the service has its own unshared tmpfs at /tmp and that it
+# cannot see or change any real devices
+PrivateTmp=true
+PrivateDevices=true
+
+# We give no capabilities to a service by default
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Protect the following from modification:
+# - The entire filesystem
+# - sysctl settings and loaded kernel modules
+# - No modifications allowed to Control Groups
+# - Hostname
+# - System Clock
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+ProtectClock=true
+ProtectHostname=true
+
+# Prevent access to the following:
+# - /home directory
+# - Kernel logs
+ProtectHome=tmpfs
+ProtectKernelLogs=true
+
+# Make sure that the process can only see PIDs and process details of itself,
+# and the second option disables seeing details of things like system load and
+# I/O etc
+ProtectProc=invisible
+ProcSubset=pid
+
+# While not needed, we set these options explicitly
+# - This process has been given access to the host network
+# - It can also communicate with any IP Address
+PrivateNetwork=false
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+IPAddressAllow=any
+
+# Restrict system calls to a sane bunch
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources @obsolete
+
+# Misc restrictions
+# - Since the process is a python process it needs to be able to write and
+#   execute memory regions, so we set MemoryDenyWriteExecute to false
+RestrictSUIDSGID=true
+RemoveIPC=true
+NoNewPrivileges=true
+RestrictRealtime=true
+RestrictNamespaces=true
+LockPersonality=true
+PrivateUsers=true
+MemoryDenyWriteExecute=false
+
 [Install]
 WantedBy=matrix-synapse.target
diff --git a/debian/matrix-synapse.service b/debian/matrix-synapse.service
@@ -8,8 +8,12 @@ ReloadPropagatedFrom=matrix-synapse.target
 [Service]
 Type=notify
 NotifyAccess=main
+
 User=matrix-synapse
 WorkingDirectory=/var/lib/matrix-synapse
+RuntimeDirectory=matrix-synapse
+StateDirectory=matrix-synapse
+LogsDirectory=matrix-synapse
 EnvironmentFile=-/etc/default/matrix-synapse
 ExecStartPre=/opt/venvs/matrix-synapse/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --generate-keys
 ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/
@@ -18,5 +22,64 @@ Restart=always
 RestartSec=3
 SyslogIdentifier=matrix-synapse
 
+## Hardening
+# Make sure that the service has its own unshared tmpfs at /tmp and that it
+# cannot see or change any real devices
+PrivateTmp=true
+PrivateDevices=true
+
+# We give no capabilities to a service by default
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Protect the following from modification:
+# - The entire filesystem
+# - sysctl settings and loaded kernel modules
+# - No modifications allowed to Control Groups
+# - Hostname
+# - System Clock
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+ProtectClock=true
+ProtectHostname=true
+
+# Prevent access to the following:
+# - /home directory
+# - Kernel logs
+ProtectHome=tmpfs
+ProtectKernelLogs=true
+
+# Make sure that the process can only see PIDs and process details of itself,
+# and the second option disables seeing details of things like system load and
+# I/O etc
+ProtectProc=invisible
+ProcSubset=pid
+
+# While not needed, we set these options explicitly
+# - This process has been given access to the host network
+# - It can also communicate with any IP Address
+PrivateNetwork=false
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+IPAddressAllow=any
+
+# Restrict system calls to a sane bunch
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources @obsolete
+
+# Misc restrictions
+# - Since the process is a python process it needs to be able to write and
+#   execute memory regions, so we set MemoryDenyWriteExecute to false
+RestrictSUIDSGID=true
+RemoveIPC=true
+NoNewPrivileges=true
+RestrictRealtime=true
+RestrictNamespaces=true
+LockPersonality=true
+PrivateUsers=true
+MemoryDenyWriteExecute=false
+
 [Install]
 WantedBy=matrix-synapse.target
diff --git a/docs/systemd-with-workers/README.md b/docs/systemd-with-workers/README.md
@@ -57,33 +57,3 @@ systemctl restart matrix-synapse-worker@generic_worker.service
 systemctl enable matrix-synapse-worker@federation_writer.service
 systemctl restart matrix-synapse.target
 ```
-
-## Hardening
-
-**Optional:** If further hardening is desired, the file
-`override-hardened.conf` may be copied from
-[contrib/systemd/override-hardened.conf](https://github.com/matrix-org/synapse/tree/develop/contrib/systemd/)
-in this repository to the location
-`/etc/systemd/system/matrix-synapse.service.d/override-hardened.conf` (the
-directory may have to be created). It enables certain sandboxing features in
-systemd to further secure the synapse service. You may read the comments to
-understand what the override file is doing. The same file will need to be copied to
-`/etc/systemd/system/[email protected]/override-hardened-worker.conf`
-(this directory may also have to be created) in order to apply the same
-hardening options to any worker processes.
-
-Once these files have been copied to their appropriate locations, simply reload
-systemd's manager config files and restart all Synapse services to apply the hardening options. They will automatically
-be applied at every restart as long as the override files are present at the
-specified locations.
-
-```sh
-systemctl daemon-reload
-
-# Restart services
-systemctl restart matrix-synapse.target
-```
-
-In order to see their effect, you may run `systemd-analyze security
-matrix-synapse.service` before and after applying the hardening options to see
-the changes being applied at a glance.