matrix-org · behrmann · Aug 19, 2022 · Aug 19, 2022 · Aug 19, 2022 · Aug 19, 2022
@@ -0,0 +1 @@
+Update Debian packaging.
@@ -1 +1 @@
-10
+12
@@ -4,7 +4,7 @@ Priority: extra
 Maintainer: Synapse Packaging team <[email protected]>
 # keep this list in sync with the build dependencies in docker/Dockerfile-dhvirtualenv.
 Build-Depends:
- debhelper (>= 10),
+ debhelper (>= 12),
  dh-virtualenv (>= 1.1),
  libsystemd-dev,
  libpq-dev,

@@ -6,6 +6,7 @@
 CONFIGFILE_SERVERNAME="/etc/matrix-synapse/conf.d/server_name.yaml"
 CONFIGFILE_REPORTSTATS="/etc/matrix-synapse/conf.d/report_stats.yaml"
 USER="matrix-synapse"
+GROUP="matrix-synapse"
 
 case "$1" in
   configure|reconfigure)
@@ -40,12 +41,12 @@ EOF
     /opt/venvs/matrix-synapse/lib/manage_debconf.pl update
 
     if ! getent passwd $USER >/dev/null; then
-      adduser --quiet --system --no-create-home --home /var/lib/matrix-synapse $USER
+      adduser --quiet --system --group --no-create-home --home /var/lib/matrix-synapse $USER
     fi
 
     for DIR in /var/lib/matrix-synapse /var/log/matrix-synapse /etc/matrix-synapse; do
       if ! dpkg-statoverride --list --quiet $DIR >/dev/null; then
-        dpkg-statoverride --force --quiet --update --add $USER nogroup 0755 $DIR
+        dpkg-statoverride --force --quiet --update --add $USER $GROUP 0755 $DIR
       fi
     done
 

@@ -1,17 +1,32 @@
+[Unit]
+Description=Synapse %i
+AssertPathExists=/etc/matrix-synapse/workers/%i.yaml
+
+# This service should be restarted when the synapse target is restarted.
+PartOf=matrix-synapse.target
+ReloadPropagatedFrom=matrix-synapse.target
+
+# If this is started at the same time as the main, let the main process start
+# first, to initialise the database schema.
+After=matrix-synapse.service
+
 [Service]
-# The following directives give the synapse service R/W access to:
-# - /run/matrix-synapse
-# - /var/lib/matrix-synapse
-# - /var/log/matrix-synapse
+Type=notify
+NotifyAccess=main
 
+User=matrix-synapse
+WorkingDirectory=/var/lib/matrix-synapse
 RuntimeDirectory=matrix-synapse
 StateDirectory=matrix-synapse
 LogsDirectory=matrix-synapse
+EnvironmentFile=-/etc/default/matrix-synapse
+ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.generic_worker --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --config-path=/etc/matrix-synapse/workers/%i.yaml
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=always
+RestartSec=3
+SyslogIdentifier=matrix-synapse-%i
 
-######################
-## Security Sandbox ##
-######################
-
+## Hardening
 # Make sure that the service has its own unshared tmpfs at /tmp and that it
 # cannot see or change any real devices
 PrivateTmp=true
@@ -69,3 +84,6 @@ RestrictNamespaces=true
 LockPersonality=true
 PrivateUsers=true
 MemoryDenyWriteExecute=false
+
+[Install]
+WantedBy=matrix-synapse.target
@@ -1,10 +1,19 @@
 [Unit]
 Description=Synapse Matrix homeserver
 
+# This service should be restarted when the synapse target is restarted.
+PartOf=matrix-synapse.target
+ReloadPropagatedFrom=matrix-synapse.target
+
 [Service]
 Type=notify
+NotifyAccess=main
+
 User=matrix-synapse
 WorkingDirectory=/var/lib/matrix-synapse
+RuntimeDirectory=matrix-synapse
+StateDirectory=matrix-synapse
+LogsDirectory=matrix-synapse
 EnvironmentFile=-/etc/default/matrix-synapse
 ExecStartPre=/opt/venvs/matrix-synapse/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --generate-keys
 ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/
@@ -13,5 +22,64 @@ Restart=always
 RestartSec=3
 SyslogIdentifier=matrix-synapse
 
+## Hardening
+# Make sure that the service has its own unshared tmpfs at /tmp and that it
+# cannot see or change any real devices
+PrivateTmp=true
+PrivateDevices=true
+
+# We give no capabilities to a service by default
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Protect the following from modification:
+# - The entire filesystem
+# - sysctl settings and loaded kernel modules
+# - No modifications allowed to Control Groups
+# - Hostname
+# - System Clock
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+ProtectClock=true
+ProtectHostname=true
+
+# Prevent access to the following:
+# - /home directory
+# - Kernel logs
+ProtectHome=tmpfs
+ProtectKernelLogs=true
+
+# Make sure that the process can only see PIDs and process details of itself,
+# and the second option disables seeing details of things like system load and
+# I/O etc
+ProtectProc=invisible
+ProcSubset=pid
+
+# While not needed, we set these options explicitly
+# - This process has been given access to the host network
+# - It can also communicate with any IP Address
+PrivateNetwork=false
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+IPAddressAllow=any
+
+# Restrict system calls to a sane bunch
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources @obsolete
+
+# Misc restrictions
+# - Since the process is a python process it needs to be able to write and
+#   execute memory regions, so we set MemoryDenyWriteExecute to false
+RestrictSUIDSGID=true
+RemoveIPC=true
+NoNewPrivileges=true
+RestrictRealtime=true
+RestrictNamespaces=true
+LockPersonality=true
+PrivateUsers=true
+MemoryDenyWriteExecute=false
+
 [Install]
-WantedBy=multi-user.target
+WantedBy=matrix-synapse.target
@@ -6,15 +6,17 @@
 # assume we only have one package
 PACKAGE_NAME:=`dh_listpackages`
 
-override_dh_systemd_enable:
-	dh_systemd_enable --name=matrix-synapse
-
-override_dh_installinit:
-	dh_installinit --name=matrix-synapse
+override_dh_installsystemd:
+	dh_installsystemd --name=matrix-synapse
+	dh_installsystemd --no-enable --name=matrix-synapse-worker@ [email protected]
 
 # we don't really want to strip the symbols from our object files.
 override_dh_strip:
 
+# we also don't need to optimise the size of the debug information, this also
+# avoids a crash
+override_dh_dwz:
+
 # dh_shlibdeps calls dpkg-shlibdeps, which finds all the binary files
 # (executables and shared libs) in the package, and looks for the shared
 # libraries that they depend on. It then adds a dependency on the package that

@@ -1,13 +1,8 @@
 # Setting up Synapse with Workers and Systemd
 
-This is a setup for managing synapse with systemd, including support for
-managing workers. It provides a `matrix-synapse` service for the master, as
-well as a `matrix-synapse-worker@` service template for any workers you
-require. Additionally, to group the required services, it sets up a
-`matrix-synapse.target`.
-
-See the folder [system](https://github.com/matrix-org/synapse/tree/develop/docs/systemd-with-workers/system/)
-for the systemd unit files.
+The necessary service files are included in the Debian packaging, see
+[debian](https://github.com/matrix-org/synapse/tree/develop/debian/) for the
+systemd unit files.
 
 The folder [workers](https://github.com/matrix-org/synapse/tree/develop/docs/systemd-with-workers/workers/)
 contains an example configuration for the `generic_worker` worker.
@@ -33,18 +28,11 @@ There is no need for a separate configuration file for the master process.
 ## Set up
 
 1. Adjust synapse configuration files as above.
-1. Copy the `*.service` and `*.target` files in [system](https://github.com/matrix-org/synapse/tree/develop/docs/systemd-with-workers/system/)
-to `/etc/systemd/system`.
-1. Run `systemctl daemon-reload` to tell systemd to load the new unit files.
-1. Run `systemctl enable matrix-synapse.service`. This will configure the
-synapse master process to be started as part of the `matrix-synapse.target`
-target.
 1. For each worker process to be enabled, run `systemctl enable
 matrix-synapse-worker@<worker_name>.service`. For each `<worker_name>`, there
 should be a corresponding configuration file.
 `/etc/matrix-synapse/workers/<worker_name>.yaml`.
 1. Start all the synapse processes with `systemctl start matrix-synapse.target`.
-1. Tell systemd to start synapse on boot with `systemctl enable matrix-synapse.target`.
 
 ## Usage
 
@@ -69,33 +57,3 @@ systemctl restart matrix-synapse-worker@generic_worker.service
 systemctl enable matrix-synapse-worker@federation_writer.service
 systemctl restart matrix-synapse.target
 ```
-
-## Hardening
-
-**Optional:** If further hardening is desired, the file
-`override-hardened.conf` may be copied from
-[contrib/systemd/override-hardened.conf](https://github.com/matrix-org/synapse/tree/develop/contrib/systemd/)
-in this repository to the location
-`/etc/systemd/system/matrix-synapse.service.d/override-hardened.conf` (the
-directory may have to be created). It enables certain sandboxing features in
-systemd to further secure the synapse service. You may read the comments to
-understand what the override file is doing. The same file will need to be copied to
-`/etc/systemd/system/[email protected]/override-hardened-worker.conf`
-(this directory may also have to be created) in order to apply the same
-hardening options to any worker processes.
-
-Once these files have been copied to their appropriate locations, simply reload
-systemd's manager config files and restart all Synapse services to apply the hardening options. They will automatically
-be applied at every restart as long as the override files are present at the
-specified locations.
-
-```sh
-systemctl daemon-reload
-
-# Restart services
-systemctl restart matrix-synapse.target
-```
-
-In order to see their effect, you may run `systemd-analyze security
-matrix-synapse.service` before and after applying the hardening options to see
-the changes being applied at a glance.