Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Hardened systemd unit files #9803

Merged
merged 20 commits into from
May 19, 2021
Merged
Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
0d754ef
Added some hardening measures to systemd unit files for managing the …
savyajha Apr 13, 2021
5be9e61
Added changelog
savyajha Apr 13, 2021
1de1225
Changed the changelog extension to correct one
savyajha Apr 13, 2021
f70c7aa
Added change to debian changelog
savyajha Apr 13, 2021
bfc0819
Added full stop to the end of changelog line
savyajha Apr 13, 2021
2a3b358
Renamed changelog file to correct pull request number
savyajha Apr 13, 2021
84fad5e
Update debian/matrix-synapse.service to match ordering in documentation
savyajha Apr 14, 2021
006576f
Revert "Update debian/matrix-synapse.service to match ordering in doc…
savyajha Apr 18, 2021
6783198
Revert "Renamed changelog file to correct pull request number"
savyajha Apr 18, 2021
df647d6
Revert "Added full stop to the end of changelog line"
savyajha Apr 18, 2021
2978ae1
Revert "Added change to debian changelog"
savyajha Apr 18, 2021
83d2f62
Revert "Changed the changelog extension to correct one"
savyajha Apr 18, 2021
8832e04
Revert "Added changelog"
savyajha Apr 18, 2021
e2cd6b5
Revert "Added some hardening measures to systemd unit files for manag…
savyajha Apr 18, 2021
12d1307
Made changes as requested in PR discussion and added a mention of har…
savyajha Apr 18, 2021
585ae38
Apply suggestions from code review by anoadragon453
savyajha May 18, 2021
ad8e2cc
Update changelog.d/9802.doc with a link to the actual issue
savyajha May 18, 2021
a36d1ec
Removed duplicate file for hardening systemd workers and updated the …
savyajha May 18, 2021
c891774
Apply suggestions from code review
anoadragon453 May 18, 2021
4d3d5dd
Fix changelog number
anoadragon453 May 18, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/9802.doc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Hardened systemd files as proposed in Issue 9760 and added them to contrib. Changed the docs to reflect the presence of these files in contrib.
savyajha marked this conversation as resolved.
Show resolved Hide resolved
71 changes: 71 additions & 0 deletions contrib/systemd-with-workers/override-hardened-workers.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
[Service]
savyajha marked this conversation as resolved.
Show resolved Hide resolved
# The following directives give the synapse service R/W access to:
# - /run/matrix-synapse
# - /var/lib/matrix-synapse
# - /var/log/matrix-synapse

RuntimeDirectory=matrix-synapse
StateDirectory=matrix-synapse
LogsDirectory=matrix-synapse

######################
## Security Sandbox ##
######################

# Make sure that the service has its own unshared tmpfs at /tmp and that it
# cannot see or change any real devices
PrivateTmp=true
PrivateDevices=true

# We give no capabilities to a service by default
CapabilityBoundingSet=
AmbientCapabilities=

# Protect the following from modification:
# - The entire filesystem
# - sysctl settings and loaded kernel modules
# - No modifications allowed to Control Groups
# - Hostname
# - System Clock
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ProtectClock=true
ProtectHostname=true

# Prevent access to the following:
# - /home directory
# - Kernel logs
ProtectHome=tmpfs
ProtectKernelLogs=true

# Make sure that the process can only see PIDs and process details of itself,
# and the second option disables seeing details of things like system load and
# I/O etc
ProtectProc=invisible
ProcSubset=pid

# While not needed, we set these options explicitly
# - This process has been given access to the host network
# - It can also communicate with any IP Address
PrivateNetwork=false
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
IPAddressAllow=any

# Restrict system calls to a sane bunch
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources @obsolete

# Misc restrictions
# - Since the process is a python process it needs to be able to write and
# execute memory regions, so we set MemoryDenyWriteExecute to false
RestrictSUIDSGID=true
RemoveIPC=true
NoNewPrivileges=true
RestrictRealtime=true
RestrictNamespaces=true
LockPersonality=true
PrivateUsers=true
MemoryDenyWriteExecute=false
71 changes: 71 additions & 0 deletions contrib/systemd/override-hardened.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
[Service]
# The following directives give the synapse service R/W access to:
# - /run/matrix-synapse
# - /var/lib/matrix-synapse
# - /var/log/matrix-synapse

RuntimeDirectory=matrix-synapse
StateDirectory=matrix-synapse
LogsDirectory=matrix-synapse

######################
## Security Sandbox ##
######################

# Make sure that the service has its own unshared tmpfs at /tmp and that it
# cannot see or change any real devices
PrivateTmp=true
PrivateDevices=true

# We give no capabilities to a service by default
CapabilityBoundingSet=
AmbientCapabilities=

# Protect the following from modification:
# - The entire filesystem
# - sysctl settings and loaded kernel modules
# - No modifications allowed to Control Groups
# - Hostname
# - System Clock
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ProtectClock=true
ProtectHostname=true

# Prevent access to the following:
# - /home directory
# - Kernel logs
ProtectHome=tmpfs
ProtectKernelLogs=true

# Make sure that the process can only see PIDs and process details of itself,
# and the second option disables seeing details of things like system load and
# I/O etc
ProtectProc=invisible
ProcSubset=pid

# While not needed, we set these options explicitly
# - This process has been given access to the host network
# - It can also communicate with any IP Address
PrivateNetwork=false
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
IPAddressAllow=any

# Restrict system calls to a sane bunch
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources @obsolete

# Misc restrictions
# - Since the process is a python process it needs to be able to write and
# execute memory regions, so we set MemoryDenyWriteExecute to false
RestrictSUIDSGID=true
RemoveIPC=true
NoNewPrivileges=true
RestrictRealtime=true
RestrictNamespaces=true
LockPersonality=true
PrivateUsers=true
MemoryDenyWriteExecute=false
34 changes: 34 additions & 0 deletions docs/systemd-with-workers/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,37 @@ systemctl restart matrix-synapse-worker@federation_reader.service
systemctl enable matrix-synapse-worker@federation_writer.service
systemctl restart matrix-synapse.target
```

## Hardening

**Optional:** If further hardening is desired, the file
`override-hardened.conf` may be copied from
`contrib/systemd/override-hardened.conf` in this repository to the location
`/etc/systemd/system/matrix-synapse.service.d/override-hardened.conf` (the
directory will have to be created). It enables certain sandboxing features in
savyajha marked this conversation as resolved.
Show resolved Hide resolved
systemd to further secure the synapse service. You may read the comments to
understand what the override file is doing. A similar override file at
`contrib/systemd-with-workers/override-hardened-worker.conf` may be copied to
`/etc/systemd/system/[email protected]/override-hardened-worker.conf`
(this directory will also have to be created) in order to apply the same
savyajha marked this conversation as resolved.
Show resolved Hide resolved
hardening options to any worker processes.

Once these files have been copied to their appropriate locations, simply run
the following commands to apply the hardening options. They will automatically
savyajha marked this conversation as resolved.
Show resolved Hide resolved
be applied at every restart as long as the override files are present at the
specified locations.

```sh
systemctl daemon-reload

# Restart the master
systemctl restart matrix-synapse.service

# If using a worker-based setup, restart the workers too.
# To restart a specific worker (eg. federation_reader):
systemctl restart matrix-synapse-worker@federation_reader.service
savyajha marked this conversation as resolved.
Show resolved Hide resolved
```

In order to see their effect, you may run `systemd-analyze security
matrix-synapse.service` before and after applying the hardening options to see
the changes being applied at a glance.