Lock down the Conduit process in the systemd unit

This will secure the service more and allow only what is necessary.
author: Paul van Tilburg <paul@luon.net> 2020-11-13 21:37:22 +0100
committer: Paul van Tilburg <paul@luon.net> 2020-11-24 14:42:20 +0100
commit: 1a341543ba155e3b4416368344cbb705690aceca (patch)
tree: 885955731ab6bdd9b3233e39ff126628331d11f9 /debian
parent: 1b4a79d47c7f91b6d3562520637d28f6f00ec6c9 (diff)
download: conduit-1a341543ba155e3b4416368344cbb705690aceca.zip
1 files changed, 27 insertions, 0 deletions
diff --git a/debian/matrix-conduit.service b/debian/matrix-conduit.service
index 42969c1..5ab7917 100644
--- a/debian/matrix-conduit.service
+++ b/debian/matrix-conduit.service
@@ -7,6 +7,33 @@ User=_matrix-conduit
 Group=_matrix-conduit
 Type=simple
 
+AmbientCapabilities=
+CapabilityBoundingSet=
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+PrivateDevices=yes
+PrivateMounts=yes
+PrivateTmp=yes
+PrivateUsers=yes
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+StateDirectory=matrix-conduit
+
 Environment="ROCKET_ENV=production"
 Environment="ROCKET_DATABASE_PATH=/var/lib/matrix-conduit"
 EnvironmentFile=/etc/matrix-conduit/debian
author	Paul van Tilburg <paul@luon.net>	2020-11-13 21:37:22 +0100
committer	Paul van Tilburg <paul@luon.net>	2020-11-24 14:42:20 +0100
commit	1a341543ba155e3b4416368344cbb705690aceca (patch)
tree	885955731ab6bdd9b3233e39ff126628331d11f9 /debian
parent	1b4a79d47c7f91b6d3562520637d28f6f00ec6c9 (diff)
download	conduit-1a341543ba155e3b4416368344cbb705690aceca.zip