From 0d754ef4cf4a3a697b2c8e002bf3a9ac64af527f Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Tue, 13 Apr 2021 19:39:43 +0530 Subject: [PATCH 01/20] Added some hardening measures to systemd unit files for managing the matrix-synapse service --- debian/matrix-synapse.service | 71 +++++++++++++++++++ .../system/matrix-synapse-worker@.service | 71 +++++++++++++++++++ .../system/matrix-synapse.service | 71 +++++++++++++++++++ 3 files changed, 213 insertions(+) diff --git a/debian/matrix-synapse.service b/debian/matrix-synapse.service index 553babf5492d..a23accfb333e 100644 --- a/debian/matrix-synapse.service +++ b/debian/matrix-synapse.service @@ -13,5 +13,76 @@ Restart=always RestartSec=3 SyslogIdentifier=matrix-synapse +# The following directives give the synapse service R/W access to: +# - /run/matrix-synapse +# - /var/lib/matrix-synapse +# - /var/log/matrix-synapse + +RuntimeDirectory=matrix-synapse +StateDirectory=matrix-synapse +LogsDirectory=matrix-synapse + +###################### +## Security Sandbox ## +###################### + +# Make sure that the service has its own unshared tmpfs at /tmp and that it +# cannot see or change any real devices +PrivateTmp=true +PrivateDevices=true + +# We give no capabilities to a service by default +CapabilityBoundingSet= +AmbientCapabilities= + +# Protect the following from modification: +# - The entire filesystem +# - sysctl settings and loaded kernel modules +# - No modifications allowed to Control Groups +# - Hostname +# - System Clock +ProtectSystem=strict +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +ProtectClock=true +ProtectHostname=true + +# Prevent access to the following: +# - /home directory +# - Kernel logs +ProtectHome=tmpfs +ProtectKernelLogs=true + +# Make sure that the process can only see PIDs and process details of itself, +# and the second option disables seeing details of things like system load and +# I/O etc +ProtectProc=invisible +ProcSubset=pid + +# While not needed, we set these options explicitly +# - This process has been given access to the host network +# - It can also communicate with any IP Address +PrivateNetwork=false +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +IPAddressAllow=any + +# Restrict system calls to a sane bunch +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources @obsolete + +# Misc restrictions +# - Since the process is a python process it needs to be able to write and +# execute memory regions, so we set MemoryDenyWriteExecute to false +RestrictSUIDSGID=true +RemoveIPC=true +NoNewPrivileges=true +RestrictRealtime=true +RestrictNamespaces=true +LockPersonality=true +PrivateUsers=true +MemoryDenyWriteExecute=false + [Install] WantedBy=multi-user.target diff --git a/docs/systemd-with-workers/system/matrix-synapse-worker@.service b/docs/systemd-with-workers/system/matrix-synapse-worker@.service index d164e8ce1f88..04189113c4eb 100644 --- a/docs/systemd-with-workers/system/matrix-synapse-worker@.service +++ b/docs/systemd-with-workers/system/matrix-synapse-worker@.service @@ -22,5 +22,76 @@ Restart=always RestartSec=3 SyslogIdentifier=matrix-synapse-%i +# The following directives give the synapse worker service R/W access to: +# - /run/matrix-synapse +# - /var/lib/matrix-synapse +# - /var/log/matrix-synapse + +RuntimeDirectory=matrix-synapse +StateDirectory=matrix-synapse +LogsDirectory=matrix-synapse + +###################### +## Security Sandbox ## +###################### + +# Make sure that the service has its own unshared tmpfs at /tmp and that it +# cannot see or change any real devices +PrivateTmp=true +PrivateDevices=true + +# We give no capabilities to a service by default +CapabilityBoundingSet= +AmbientCapabilities= + +# Protect the following from modification: +# - The entire filesystem +# - sysctl settings and loaded kernel modules +# - No modifications allowed to Control Groups +# - Hostname +# - System Clock +ProtectSystem=strict +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +ProtectClock=true +ProtectHostname=true + +# Prevent access to the following: +# - /home directory +# - Kernel logs +ProtectHome=tmpfs +ProtectKernelLogs=true + +# Make sure that the process can only see PIDs and process details of itself, +# and the second option disables seeing details of things like system load and +# I/O etc +ProtectProc=invisible +ProcSubset=pid + +# While not needed, we set these options explicitly +# - This process has been given access to the host network +# - It can also communicate with any IP Address +PrivateNetwork=false +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +IPAddressAllow=any + +# Restrict system calls to a sane bunch +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources @obsolete + +# Misc restrictions +# - Since the process is a python process it needs to be able to write and +# execute memory regions +RestrictSUIDSGID=true +RemoveIPC=true +NoNewPrivileges=true +RestrictRealtime=true +RestrictNamespaces=true +LockPersonality=true +PrivateUsers=true +MemoryDenyWriteExecute=false + [Install] WantedBy=matrix-synapse.target diff --git a/docs/systemd-with-workers/system/matrix-synapse.service b/docs/systemd-with-workers/system/matrix-synapse.service index f6b6dfd3ce8e..9ee086f9f93a 100644 --- a/docs/systemd-with-workers/system/matrix-synapse.service +++ b/docs/systemd-with-workers/system/matrix-synapse.service @@ -18,5 +18,76 @@ Restart=always RestartSec=3 SyslogIdentifier=matrix-synapse +# The following directives give the synapse service R/W access to: +# - /run/matrix-synapse +# - /var/lib/matrix-synapse +# - /var/log/matrix-synapse + +RuntimeDirectory=matrix-synapse +StateDirectory=matrix-synapse +LogsDirectory=matrix-synapse + +###################### +## Security Sandbox ## +###################### + +# Make sure that the service has its own unshared tmpfs at /tmp and that it +# cannot see or change any real devices +PrivateTmp=true +PrivateDevices=true + +# We give no capabilities to a service by default +CapabilityBoundingSet= +AmbientCapabilities= + +# Protect the following from modification: +# - The entire filesystem +# - sysctl settings and loaded kernel modules +# - No modifications allowed to Control Groups +# - Hostname +# - System Clock +ProtectSystem=strict +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +ProtectClock=true +ProtectHostname=true + +# Prevent access to the following: +# - /home directory +# - Kernel logs +ProtectHome=tmpfs +ProtectKernelLogs=true + +# Make sure that the process can only see PIDs and process details of itself, +# and the second option disables seeing details of things like system load and +# I/O etc +ProtectProc=invisible +ProcSubset=pid + +# While not needed, we set these options explicitly +# - This process has been given access to the host network +# - It can also communicate with any IP Address +PrivateNetwork=false +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +IPAddressAllow=any + +# Restrict system calls to a sane bunch +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources @obsolete + +# Misc restrictions +# - Since the process is a python process it needs to be able to write and +# execute memory regions +RestrictSUIDSGID=true +RemoveIPC=true +NoNewPrivileges=true +RestrictRealtime=true +RestrictNamespaces=true +LockPersonality=true +PrivateUsers=true +MemoryDenyWriteExecute=false + [Install] WantedBy=matrix-synapse.target From 5be9e61c1effec674daf1f98a860738c7e7fdc11 Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Tue, 13 Apr 2021 19:47:05 +0530 Subject: [PATCH 02/20] Added changelog --- changelog.d/9802.misc | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/9802.misc diff --git a/changelog.d/9802.misc b/changelog.d/9802.misc new file mode 100644 index 000000000000..3158eab8ea88 --- /dev/null +++ b/changelog.d/9802.misc @@ -0,0 +1 @@ +Hardened systemd files as proposed in Issue 9760 From 1de1225767e32f6dfafbb15bd150a9ea557caef9 Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Tue, 13 Apr 2021 21:11:51 +0530 Subject: [PATCH 03/20] Changed the changelog extension to correct one --- changelog.d/{9802.misc => 9802.doc} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename changelog.d/{9802.misc => 9802.doc} (100%) diff --git a/changelog.d/9802.misc b/changelog.d/9802.doc similarity index 100% rename from changelog.d/9802.misc rename to changelog.d/9802.doc From f70c7aa89aa18357c3dd45346340341bfc281c2f Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Tue, 13 Apr 2021 21:21:57 +0530 Subject: [PATCH 04/20] Added change to debian changelog --- debian/changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/changelog b/debian/changelog index 5d526316fcf2..aad44529c284 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ matrix-synapse-py3 (1.31.0+nmu1) UNRELEASED; urgency=medium * Skip tests when DEB_BUILD_OPTIONS contains "nocheck". + * Harden the systemd unit file -- Dan Callahan Mon, 12 Apr 2021 13:07:36 +0000 From bfc08191a6ade90c27d1b5e4a2848b64d7d57538 Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Tue, 13 Apr 2021 21:25:22 +0530 Subject: [PATCH 05/20] Added full stop to the end of changelog line --- changelog.d/9802.doc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.d/9802.doc b/changelog.d/9802.doc index 3158eab8ea88..b34f7ea04725 100644 --- a/changelog.d/9802.doc +++ b/changelog.d/9802.doc @@ -1 +1 @@ -Hardened systemd files as proposed in Issue 9760 +Hardened systemd files as proposed in Issue 9760. From 2a3b35885f7299eec8bec14627b592ed9091bf76 Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Tue, 13 Apr 2021 21:29:16 +0530 Subject: [PATCH 06/20] Renamed changelog file to correct pull request number --- changelog.d/9802.doc | 1 - 1 file changed, 1 deletion(-) delete mode 100644 changelog.d/9802.doc diff --git a/changelog.d/9802.doc b/changelog.d/9802.doc deleted file mode 100644 index b34f7ea04725..000000000000 --- a/changelog.d/9802.doc +++ /dev/null @@ -1 +0,0 @@ -Hardened systemd files as proposed in Issue 9760. From 84fad5ecf96073c68d3b7d1a2d3c40abd2fd1203 Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Wed, 14 Apr 2021 19:14:32 +0530 Subject: [PATCH 07/20] Update debian/matrix-synapse.service to match ordering in documentation Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> --- debian/matrix-synapse.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/matrix-synapse.service b/debian/matrix-synapse.service index a23accfb333e..f3354026dd67 100644 --- a/debian/matrix-synapse.service +++ b/debian/matrix-synapse.service @@ -45,8 +45,8 @@ ProtectSystem=strict ProtectKernelTunables=true ProtectKernelModules=true ProtectControlGroups=true -ProtectClock=true ProtectHostname=true +ProtectClock=true # Prevent access to the following: # - /home directory From 006576fc1c9c3431de61e14598bd7a934a492f86 Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Sun, 18 Apr 2021 15:55:21 +0530 Subject: [PATCH 08/20] Revert "Update debian/matrix-synapse.service to match ordering in documentation" This reverts all the commits made to harden service files till now. --- debian/matrix-synapse.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/matrix-synapse.service b/debian/matrix-synapse.service index f3354026dd67..a23accfb333e 100644 --- a/debian/matrix-synapse.service +++ b/debian/matrix-synapse.service @@ -45,8 +45,8 @@ ProtectSystem=strict ProtectKernelTunables=true ProtectKernelModules=true ProtectControlGroups=true -ProtectHostname=true ProtectClock=true +ProtectHostname=true # Prevent access to the following: # - /home directory From 6783198b5ffc163e1e12bbf9d7a7fb2862a04b00 Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Sun, 18 Apr 2021 15:56:06 +0530 Subject: [PATCH 09/20] Revert "Renamed changelog file to correct pull request number" This reverts commit 2a3b35885f7299eec8bec14627b592ed9091bf76. --- changelog.d/9802.doc | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/9802.doc diff --git a/changelog.d/9802.doc b/changelog.d/9802.doc new file mode 100644 index 000000000000..b34f7ea04725 --- /dev/null +++ b/changelog.d/9802.doc @@ -0,0 +1 @@ +Hardened systemd files as proposed in Issue 9760. From df647d64c3ae18b0f8fe585e95126788cbd1d835 Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Sun, 18 Apr 2021 15:56:11 +0530 Subject: [PATCH 10/20] Revert "Added full stop to the end of changelog line" This reverts commit bfc08191a6ade90c27d1b5e4a2848b64d7d57538. --- changelog.d/9802.doc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.d/9802.doc b/changelog.d/9802.doc index b34f7ea04725..3158eab8ea88 100644 --- a/changelog.d/9802.doc +++ b/changelog.d/9802.doc @@ -1 +1 @@ -Hardened systemd files as proposed in Issue 9760. +Hardened systemd files as proposed in Issue 9760 From 2978ae1b16c31c980c02709c8b14cfcb7313ca2c Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Sun, 18 Apr 2021 15:56:12 +0530 Subject: [PATCH 11/20] Revert "Added change to debian changelog" This reverts commit f70c7aa89aa18357c3dd45346340341bfc281c2f. --- debian/changelog | 1 - 1 file changed, 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index aad44529c284..5d526316fcf2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,6 @@ matrix-synapse-py3 (1.31.0+nmu1) UNRELEASED; urgency=medium * Skip tests when DEB_BUILD_OPTIONS contains "nocheck". - * Harden the systemd unit file -- Dan Callahan Mon, 12 Apr 2021 13:07:36 +0000 From 83d2f62263658c2cbbac9d1b885d4c6d10eef15a Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Sun, 18 Apr 2021 15:56:14 +0530 Subject: [PATCH 12/20] Revert "Changed the changelog extension to correct one" This reverts commit 1de1225767e32f6dfafbb15bd150a9ea557caef9. --- changelog.d/{9802.doc => 9802.misc} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename changelog.d/{9802.doc => 9802.misc} (100%) diff --git a/changelog.d/9802.doc b/changelog.d/9802.misc similarity index 100% rename from changelog.d/9802.doc rename to changelog.d/9802.misc From 8832e048bc23c1c6c8d99faff290d66e7639872a Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Sun, 18 Apr 2021 15:56:15 +0530 Subject: [PATCH 13/20] Revert "Added changelog" This reverts commit 5be9e61c1effec674daf1f98a860738c7e7fdc11. --- changelog.d/9802.misc | 1 - 1 file changed, 1 deletion(-) delete mode 100644 changelog.d/9802.misc diff --git a/changelog.d/9802.misc b/changelog.d/9802.misc deleted file mode 100644 index 3158eab8ea88..000000000000 --- a/changelog.d/9802.misc +++ /dev/null @@ -1 +0,0 @@ -Hardened systemd files as proposed in Issue 9760 From e2cd6b54f758fdfd0c219259441fac8c841d5c07 Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Sun, 18 Apr 2021 15:56:16 +0530 Subject: [PATCH 14/20] Revert "Added some hardening measures to systemd unit files for managing the matrix-synapse service" This reverts commit 0d754ef4cf4a3a697b2c8e002bf3a9ac64af527f. --- debian/matrix-synapse.service | 71 ------------------- .../system/matrix-synapse-worker@.service | 71 ------------------- .../system/matrix-synapse.service | 71 ------------------- 3 files changed, 213 deletions(-) diff --git a/debian/matrix-synapse.service b/debian/matrix-synapse.service index a23accfb333e..553babf5492d 100644 --- a/debian/matrix-synapse.service +++ b/debian/matrix-synapse.service @@ -13,76 +13,5 @@ Restart=always RestartSec=3 SyslogIdentifier=matrix-synapse -# The following directives give the synapse service R/W access to: -# - /run/matrix-synapse -# - /var/lib/matrix-synapse -# - /var/log/matrix-synapse - -RuntimeDirectory=matrix-synapse -StateDirectory=matrix-synapse -LogsDirectory=matrix-synapse - -###################### -## Security Sandbox ## -###################### - -# Make sure that the service has its own unshared tmpfs at /tmp and that it -# cannot see or change any real devices -PrivateTmp=true -PrivateDevices=true - -# We give no capabilities to a service by default -CapabilityBoundingSet= -AmbientCapabilities= - -# Protect the following from modification: -# - The entire filesystem -# - sysctl settings and loaded kernel modules -# - No modifications allowed to Control Groups -# - Hostname -# - System Clock -ProtectSystem=strict -ProtectKernelTunables=true -ProtectKernelModules=true -ProtectControlGroups=true -ProtectClock=true -ProtectHostname=true - -# Prevent access to the following: -# - /home directory -# - Kernel logs -ProtectHome=tmpfs -ProtectKernelLogs=true - -# Make sure that the process can only see PIDs and process details of itself, -# and the second option disables seeing details of things like system load and -# I/O etc -ProtectProc=invisible -ProcSubset=pid - -# While not needed, we set these options explicitly -# - This process has been given access to the host network -# - It can also communicate with any IP Address -PrivateNetwork=false -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -IPAddressAllow=any - -# Restrict system calls to a sane bunch -SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@privileged @resources @obsolete - -# Misc restrictions -# - Since the process is a python process it needs to be able to write and -# execute memory regions, so we set MemoryDenyWriteExecute to false -RestrictSUIDSGID=true -RemoveIPC=true -NoNewPrivileges=true -RestrictRealtime=true -RestrictNamespaces=true -LockPersonality=true -PrivateUsers=true -MemoryDenyWriteExecute=false - [Install] WantedBy=multi-user.target diff --git a/docs/systemd-with-workers/system/matrix-synapse-worker@.service b/docs/systemd-with-workers/system/matrix-synapse-worker@.service index 04189113c4eb..d164e8ce1f88 100644 --- a/docs/systemd-with-workers/system/matrix-synapse-worker@.service +++ b/docs/systemd-with-workers/system/matrix-synapse-worker@.service @@ -22,76 +22,5 @@ Restart=always RestartSec=3 SyslogIdentifier=matrix-synapse-%i -# The following directives give the synapse worker service R/W access to: -# - /run/matrix-synapse -# - /var/lib/matrix-synapse -# - /var/log/matrix-synapse - -RuntimeDirectory=matrix-synapse -StateDirectory=matrix-synapse -LogsDirectory=matrix-synapse - -###################### -## Security Sandbox ## -###################### - -# Make sure that the service has its own unshared tmpfs at /tmp and that it -# cannot see or change any real devices -PrivateTmp=true -PrivateDevices=true - -# We give no capabilities to a service by default -CapabilityBoundingSet= -AmbientCapabilities= - -# Protect the following from modification: -# - The entire filesystem -# - sysctl settings and loaded kernel modules -# - No modifications allowed to Control Groups -# - Hostname -# - System Clock -ProtectSystem=strict -ProtectKernelTunables=true -ProtectKernelModules=true -ProtectControlGroups=true -ProtectClock=true -ProtectHostname=true - -# Prevent access to the following: -# - /home directory -# - Kernel logs -ProtectHome=tmpfs -ProtectKernelLogs=true - -# Make sure that the process can only see PIDs and process details of itself, -# and the second option disables seeing details of things like system load and -# I/O etc -ProtectProc=invisible -ProcSubset=pid - -# While not needed, we set these options explicitly -# - This process has been given access to the host network -# - It can also communicate with any IP Address -PrivateNetwork=false -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -IPAddressAllow=any - -# Restrict system calls to a sane bunch -SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@privileged @resources @obsolete - -# Misc restrictions -# - Since the process is a python process it needs to be able to write and -# execute memory regions -RestrictSUIDSGID=true -RemoveIPC=true -NoNewPrivileges=true -RestrictRealtime=true -RestrictNamespaces=true -LockPersonality=true -PrivateUsers=true -MemoryDenyWriteExecute=false - [Install] WantedBy=matrix-synapse.target diff --git a/docs/systemd-with-workers/system/matrix-synapse.service b/docs/systemd-with-workers/system/matrix-synapse.service index 9ee086f9f93a..f6b6dfd3ce8e 100644 --- a/docs/systemd-with-workers/system/matrix-synapse.service +++ b/docs/systemd-with-workers/system/matrix-synapse.service @@ -18,76 +18,5 @@ Restart=always RestartSec=3 SyslogIdentifier=matrix-synapse -# The following directives give the synapse service R/W access to: -# - /run/matrix-synapse -# - /var/lib/matrix-synapse -# - /var/log/matrix-synapse - -RuntimeDirectory=matrix-synapse -StateDirectory=matrix-synapse -LogsDirectory=matrix-synapse - -###################### -## Security Sandbox ## -###################### - -# Make sure that the service has its own unshared tmpfs at /tmp and that it -# cannot see or change any real devices -PrivateTmp=true -PrivateDevices=true - -# We give no capabilities to a service by default -CapabilityBoundingSet= -AmbientCapabilities= - -# Protect the following from modification: -# - The entire filesystem -# - sysctl settings and loaded kernel modules -# - No modifications allowed to Control Groups -# - Hostname -# - System Clock -ProtectSystem=strict -ProtectKernelTunables=true -ProtectKernelModules=true -ProtectControlGroups=true -ProtectClock=true -ProtectHostname=true - -# Prevent access to the following: -# - /home directory -# - Kernel logs -ProtectHome=tmpfs -ProtectKernelLogs=true - -# Make sure that the process can only see PIDs and process details of itself, -# and the second option disables seeing details of things like system load and -# I/O etc -ProtectProc=invisible -ProcSubset=pid - -# While not needed, we set these options explicitly -# - This process has been given access to the host network -# - It can also communicate with any IP Address -PrivateNetwork=false -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -IPAddressAllow=any - -# Restrict system calls to a sane bunch -SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@privileged @resources @obsolete - -# Misc restrictions -# - Since the process is a python process it needs to be able to write and -# execute memory regions -RestrictSUIDSGID=true -RemoveIPC=true -NoNewPrivileges=true -RestrictRealtime=true -RestrictNamespaces=true -LockPersonality=true -PrivateUsers=true -MemoryDenyWriteExecute=false - [Install] WantedBy=matrix-synapse.target From 12d130738fe9cff04038fbc0848368f0ad13ac2d Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Sun, 18 Apr 2021 15:59:36 +0530 Subject: [PATCH 15/20] Made changes as requested in PR discussion and added a mention of hardening in the docs --- changelog.d/9802.doc | 1 + .../override-hardened-workers.conf | 71 +++++++++++++++++++ contrib/systemd/override-hardened.conf | 71 +++++++++++++++++++ docs/systemd-with-workers/README.md | 34 +++++++++ 4 files changed, 177 insertions(+) create mode 100644 changelog.d/9802.doc create mode 100644 contrib/systemd-with-workers/override-hardened-workers.conf create mode 100644 contrib/systemd/override-hardened.conf diff --git a/changelog.d/9802.doc b/changelog.d/9802.doc new file mode 100644 index 000000000000..0603312e3304 --- /dev/null +++ b/changelog.d/9802.doc @@ -0,0 +1 @@ +Hardened systemd files as proposed in Issue 9760 and added them to contrib. Changed the docs to reflect the presence of these files in contrib. diff --git a/contrib/systemd-with-workers/override-hardened-workers.conf b/contrib/systemd-with-workers/override-hardened-workers.conf new file mode 100644 index 000000000000..b2fa3ae7c5db --- /dev/null +++ b/contrib/systemd-with-workers/override-hardened-workers.conf @@ -0,0 +1,71 @@ +[Service] +# The following directives give the synapse service R/W access to: +# - /run/matrix-synapse +# - /var/lib/matrix-synapse +# - /var/log/matrix-synapse + +RuntimeDirectory=matrix-synapse +StateDirectory=matrix-synapse +LogsDirectory=matrix-synapse + +###################### +## Security Sandbox ## +###################### + +# Make sure that the service has its own unshared tmpfs at /tmp and that it +# cannot see or change any real devices +PrivateTmp=true +PrivateDevices=true + +# We give no capabilities to a service by default +CapabilityBoundingSet= +AmbientCapabilities= + +# Protect the following from modification: +# - The entire filesystem +# - sysctl settings and loaded kernel modules +# - No modifications allowed to Control Groups +# - Hostname +# - System Clock +ProtectSystem=strict +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +ProtectClock=true +ProtectHostname=true + +# Prevent access to the following: +# - /home directory +# - Kernel logs +ProtectHome=tmpfs +ProtectKernelLogs=true + +# Make sure that the process can only see PIDs and process details of itself, +# and the second option disables seeing details of things like system load and +# I/O etc +ProtectProc=invisible +ProcSubset=pid + +# While not needed, we set these options explicitly +# - This process has been given access to the host network +# - It can also communicate with any IP Address +PrivateNetwork=false +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +IPAddressAllow=any + +# Restrict system calls to a sane bunch +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources @obsolete + +# Misc restrictions +# - Since the process is a python process it needs to be able to write and +# execute memory regions, so we set MemoryDenyWriteExecute to false +RestrictSUIDSGID=true +RemoveIPC=true +NoNewPrivileges=true +RestrictRealtime=true +RestrictNamespaces=true +LockPersonality=true +PrivateUsers=true +MemoryDenyWriteExecute=false diff --git a/contrib/systemd/override-hardened.conf b/contrib/systemd/override-hardened.conf new file mode 100644 index 000000000000..b2fa3ae7c5db --- /dev/null +++ b/contrib/systemd/override-hardened.conf @@ -0,0 +1,71 @@ +[Service] +# The following directives give the synapse service R/W access to: +# - /run/matrix-synapse +# - /var/lib/matrix-synapse +# - /var/log/matrix-synapse + +RuntimeDirectory=matrix-synapse +StateDirectory=matrix-synapse +LogsDirectory=matrix-synapse + +###################### +## Security Sandbox ## +###################### + +# Make sure that the service has its own unshared tmpfs at /tmp and that it +# cannot see or change any real devices +PrivateTmp=true +PrivateDevices=true + +# We give no capabilities to a service by default +CapabilityBoundingSet= +AmbientCapabilities= + +# Protect the following from modification: +# - The entire filesystem +# - sysctl settings and loaded kernel modules +# - No modifications allowed to Control Groups +# - Hostname +# - System Clock +ProtectSystem=strict +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +ProtectClock=true +ProtectHostname=true + +# Prevent access to the following: +# - /home directory +# - Kernel logs +ProtectHome=tmpfs +ProtectKernelLogs=true + +# Make sure that the process can only see PIDs and process details of itself, +# and the second option disables seeing details of things like system load and +# I/O etc +ProtectProc=invisible +ProcSubset=pid + +# While not needed, we set these options explicitly +# - This process has been given access to the host network +# - It can also communicate with any IP Address +PrivateNetwork=false +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +IPAddressAllow=any + +# Restrict system calls to a sane bunch +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources @obsolete + +# Misc restrictions +# - Since the process is a python process it needs to be able to write and +# execute memory regions, so we set MemoryDenyWriteExecute to false +RestrictSUIDSGID=true +RemoveIPC=true +NoNewPrivileges=true +RestrictRealtime=true +RestrictNamespaces=true +LockPersonality=true +PrivateUsers=true +MemoryDenyWriteExecute=false diff --git a/docs/systemd-with-workers/README.md b/docs/systemd-with-workers/README.md index cfa36be7b4c5..f8d0eded1ac1 100644 --- a/docs/systemd-with-workers/README.md +++ b/docs/systemd-with-workers/README.md @@ -65,3 +65,37 @@ systemctl restart matrix-synapse-worker@federation_reader.service systemctl enable matrix-synapse-worker@federation_writer.service systemctl restart matrix-synapse.target ``` + +## Hardening + +**Optional:** If further hardening is desired, the file +`override-hardened.conf` may be copied from +`contrib/systemd/override-hardened.conf` in this repository to the location +`/etc/systemd/system/matrix-synapse.service.d/override-hardened.conf` (the +directory will have to be created). It enables certain sandboxing features in +systemd to further secure the synapse service. You may read the comments to +understand what the override file is doing. A similar override file at +`contrib/systemd-with-workers/override-hardened-worker.conf` may be copied to +`/etc/systemd/system/matrix-synapse-worker@.service.d/override-hardened-worker.conf` +(this directory will also have to be created) in order to apply the same +hardening options to any worker processes. + +Once these files have been copied to their appropriate locations, simply run +the following commands to apply the hardening options. They will automatically +be applied at every restart as long as the override files are present at the +specified locations. + +```sh +systemctl daemon-reload + +# Restart the master +systemctl restart matrix-synapse.service + +# If using a worker-based setup, restart the workers too. +# To restart a specific worker (eg. federation_reader): +systemctl restart matrix-synapse-worker@federation_reader.service +``` + +In order to see their effect, you may run `systemd-analyze security +matrix-synapse.service` before and after applying the hardening options to see +the changes being applied at a glance. From 585ae3884c49cc75859b023d6914560b9944f1c8 Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Tue, 18 May 2021 16:10:05 +0530 Subject: [PATCH 16/20] Apply suggestions from code review by anoadragon453 Mostly a few grammatical changes to better fit the language expected Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> --- docs/systemd-with-workers/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/systemd-with-workers/README.md b/docs/systemd-with-workers/README.md index f8d0eded1ac1..074e1ead57f4 100644 --- a/docs/systemd-with-workers/README.md +++ b/docs/systemd-with-workers/README.md @@ -72,16 +72,16 @@ systemctl restart matrix-synapse.target `override-hardened.conf` may be copied from `contrib/systemd/override-hardened.conf` in this repository to the location `/etc/systemd/system/matrix-synapse.service.d/override-hardened.conf` (the -directory will have to be created). It enables certain sandboxing features in +directory may have to be created). It enables certain sandboxing features in systemd to further secure the synapse service. You may read the comments to understand what the override file is doing. A similar override file at `contrib/systemd-with-workers/override-hardened-worker.conf` may be copied to `/etc/systemd/system/matrix-synapse-worker@.service.d/override-hardened-worker.conf` -(this directory will also have to be created) in order to apply the same +(this directory may also have to be created) in order to apply the same hardening options to any worker processes. -Once these files have been copied to their appropriate locations, simply run -the following commands to apply the hardening options. They will automatically +Once these files have been copied to their appropriate locations, simply reload +systemd's manager config files and restart all Synapse services to apply the hardening options. They will automatically be applied at every restart as long as the override files are present at the specified locations. From ad8e2cc36c70825b4b2b914a44407418fc8b3056 Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Tue, 18 May 2021 16:10:56 +0530 Subject: [PATCH 17/20] Update changelog.d/9802.doc with a link to the actual issue Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> --- changelog.d/9802.doc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.d/9802.doc b/changelog.d/9802.doc index 0603312e3304..16c7ba703394 100644 --- a/changelog.d/9802.doc +++ b/changelog.d/9802.doc @@ -1 +1 @@ -Hardened systemd files as proposed in Issue 9760 and added them to contrib. Changed the docs to reflect the presence of these files in contrib. +Add hardened systemd files as proposed in [#9760](https://github.com/matrix-org/synapse/issues/9760) and added them to `contrib/`. Change the docs to reflect the presence of these files. From a36d1ec5ae0bc745f536ae7b97e013bb7cf956a5 Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Tue, 18 May 2021 16:14:49 +0530 Subject: [PATCH 18/20] Removed duplicate file for hardening systemd workers and updated the docs as requested in code review --- .../override-hardened-workers.conf | 71 ------------------- docs/systemd-with-workers/README.md | 12 ++-- 2 files changed, 4 insertions(+), 79 deletions(-) delete mode 100644 contrib/systemd-with-workers/override-hardened-workers.conf diff --git a/contrib/systemd-with-workers/override-hardened-workers.conf b/contrib/systemd-with-workers/override-hardened-workers.conf deleted file mode 100644 index b2fa3ae7c5db..000000000000 --- a/contrib/systemd-with-workers/override-hardened-workers.conf +++ /dev/null @@ -1,71 +0,0 @@ -[Service] -# The following directives give the synapse service R/W access to: -# - /run/matrix-synapse -# - /var/lib/matrix-synapse -# - /var/log/matrix-synapse - -RuntimeDirectory=matrix-synapse -StateDirectory=matrix-synapse -LogsDirectory=matrix-synapse - -###################### -## Security Sandbox ## -###################### - -# Make sure that the service has its own unshared tmpfs at /tmp and that it -# cannot see or change any real devices -PrivateTmp=true -PrivateDevices=true - -# We give no capabilities to a service by default -CapabilityBoundingSet= -AmbientCapabilities= - -# Protect the following from modification: -# - The entire filesystem -# - sysctl settings and loaded kernel modules -# - No modifications allowed to Control Groups -# - Hostname -# - System Clock -ProtectSystem=strict -ProtectKernelTunables=true -ProtectKernelModules=true -ProtectControlGroups=true -ProtectClock=true -ProtectHostname=true - -# Prevent access to the following: -# - /home directory -# - Kernel logs -ProtectHome=tmpfs -ProtectKernelLogs=true - -# Make sure that the process can only see PIDs and process details of itself, -# and the second option disables seeing details of things like system load and -# I/O etc -ProtectProc=invisible -ProcSubset=pid - -# While not needed, we set these options explicitly -# - This process has been given access to the host network -# - It can also communicate with any IP Address -PrivateNetwork=false -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -IPAddressAllow=any - -# Restrict system calls to a sane bunch -SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@privileged @resources @obsolete - -# Misc restrictions -# - Since the process is a python process it needs to be able to write and -# execute memory regions, so we set MemoryDenyWriteExecute to false -RestrictSUIDSGID=true -RemoveIPC=true -NoNewPrivileges=true -RestrictRealtime=true -RestrictNamespaces=true -LockPersonality=true -PrivateUsers=true -MemoryDenyWriteExecute=false diff --git a/docs/systemd-with-workers/README.md b/docs/systemd-with-workers/README.md index 074e1ead57f4..19ac1a330651 100644 --- a/docs/systemd-with-workers/README.md +++ b/docs/systemd-with-workers/README.md @@ -74,8 +74,8 @@ systemctl restart matrix-synapse.target `/etc/systemd/system/matrix-synapse.service.d/override-hardened.conf` (the directory may have to be created). It enables certain sandboxing features in systemd to further secure the synapse service. You may read the comments to -understand what the override file is doing. A similar override file at -`contrib/systemd-with-workers/override-hardened-worker.conf` may be copied to +understand what the override file is doing. The same file at may also be copied +to `/etc/systemd/system/matrix-synapse-worker@.service.d/override-hardened-worker.conf` (this directory may also have to be created) in order to apply the same hardening options to any worker processes. @@ -88,12 +88,8 @@ specified locations. ```sh systemctl daemon-reload -# Restart the master -systemctl restart matrix-synapse.service - -# If using a worker-based setup, restart the workers too. -# To restart a specific worker (eg. federation_reader): -systemctl restart matrix-synapse-worker@federation_reader.service +# Restart the services +systemctl restart matrix-synapse.target ``` In order to see their effect, you may run `systemd-analyze security From c891774a0efe0fca42efbc90f8ecccb480944eee Mon Sep 17 00:00:00 2001 From: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> Date: Tue, 18 May 2021 17:39:39 +0100 Subject: [PATCH 19/20] Apply suggestions from code review --- docs/systemd-with-workers/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/systemd-with-workers/README.md b/docs/systemd-with-workers/README.md index 19ac1a330651..a1135e9ed578 100644 --- a/docs/systemd-with-workers/README.md +++ b/docs/systemd-with-workers/README.md @@ -74,7 +74,7 @@ systemctl restart matrix-synapse.target `/etc/systemd/system/matrix-synapse.service.d/override-hardened.conf` (the directory may have to be created). It enables certain sandboxing features in systemd to further secure the synapse service. You may read the comments to -understand what the override file is doing. The same file at may also be copied +understand what the override file is doing. The same file will need to be copied to `/etc/systemd/system/matrix-synapse-worker@.service.d/override-hardened-worker.conf` (this directory may also have to be created) in order to apply the same @@ -88,7 +88,7 @@ specified locations. ```sh systemctl daemon-reload -# Restart the services +# Restart services systemctl restart matrix-synapse.target ``` From 4d3d5dd2581ae66e6258eef0a6804c03c2625bd5 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 18 May 2021 17:42:09 +0100 Subject: [PATCH 20/20] Fix changelog number --- changelog.d/{9802.doc => 9803.doc} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename changelog.d/{9802.doc => 9803.doc} (100%) diff --git a/changelog.d/9802.doc b/changelog.d/9803.doc similarity index 100% rename from changelog.d/9802.doc rename to changelog.d/9803.doc