From df3935833b2e0d0d0fe138b4caf0cc2e06d14a3b Mon Sep 17 00:00:00 2001 From: h7x4 Date: Wed, 24 Dec 2025 08:41:46 +0900 Subject: [PATCH] {synapse,workers}: add systemd hardening --- synapse-module/default.nix | 43 ++++++++++++++++++++++++++++++++++++++ synapse-module/workers.nix | 43 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+) diff --git a/synapse-module/default.nix b/synapse-module/default.nix index c4c3fde..24073fe 100644 --- a/synapse-module/default.nix +++ b/synapse-module/default.nix @@ -450,6 +450,49 @@ in in "${wrapped}/bin/synapse_homeserver ${flags}"; ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -HUP $MAINPID"; Restart = "on-failure"; + + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = [ + cfg.dataDir + cfg.settings.media_store_path + ] + ++ (map (listener: dirOf listener.path) ( + lib.filter (listener: listener.path != null) cfg.settings.listeners + )); + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SocketBindAllow = lib.catAttrs "port" cfg.settings.listeners; + SocketBindDeny = "any"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@resources" + "~@privileged" + ]; + UMask = "0027"; }; }; }; diff --git a/synapse-module/workers.nix b/synapse-module/workers.nix index b068011..d3a3f47 100644 --- a/synapse-module/workers.nix +++ b/synapse-module/workers.nix @@ -394,6 +394,49 @@ in { keys-directory = cfg.dataDir; }; in "${wrapped}/bin/synapse_worker ${flags}"; + + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = [ + cfg.dataDir + cfg.settings.media_store_path + ] + ++ (map (listener: dirOf listener.path) ( + lib.filter (listener: listener.path != null) cfg.settings.listeners + )); + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SocketBindAllow = lib.catAttrs "port" (lib.filterAttrsRecursive (_: v: v != null) worker.value.settings.worker_listeners); + SocketBindDeny = "any"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@resources" + "~@privileged" + ]; + UMask = "0027"; }; }; }));