Add systemd hardening

2026-01-21 23:08:21 +01:00 · 2025-12-24 08:41:46 +09:00
parent 82959f612f
commit 318538066f
2 changed files with 78 additions and 0 deletions
--- a/synapse-module/workers.nix
+++ b/synapse-module/workers.nix
@@ -394,6 +394,45 @@ in {
              keys-directory = cfg.dataDir;
            };
          in "${wrapped}/bin/synapse_worker ${flags}";
+
+          CapabilityBoundingSet = [ "" ];
+          LockPersonality = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          ReadWritePaths = [
+            cfg.dataDir
+            cfg.settings.media_store_path
+          ]
+          ++ (map (listener: dirOf listener.path) (
+            lib.filter (listener: listener.path != null) cfg.settings.listeners
+          ));
+          RemoveIPC = true;
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+            "AF_UNIX"
+          ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [
+            "@system-service"
+            "~@resources"
+            "~@privileged"
+          ];
        };
      };
    }));