[Pkg-matrix-maintainers] Bug#955254: matrix-synapse: add systemd sandboxing options to service file

jvalleroy jvalleroy at jvalleroy.mooo.com
Sat Mar 28 18:19:56 GMT 2020 

Package: matrix-synapse
Version: 1.11.1-1
Severity: wishlist

Dear Maintainer,

In FreedomBox, we have added these sandboxing options:

[Service]
ConfigurationDirectory=matrix-synapse
LockPersonality=yes
LogsDirectory=matrix-synapse
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictRealtime=yes
StateDirectory=matrix-synapse
SystemCallArchitectures=native

Please consider adding any of these to the service file included in the package.


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages matrix-synapse depends on:
ii  adduser                    3.118
ii  debconf [debconf-2.0]      1.5.73
ii  libjs-jquery               3.3.1~dfsg-3
ii  libpython3-stdlib          3.8.2-2
ii  lsb-base                   11.1.0
ii  python3                    3.8.2-2
ii  python3-attr               19.3.0-2
ii  python3-bcrypt             3.1.7-2+b1
ii  python3-bleach             3.1.3-1
ii  python3-canonicaljson      1.1.4-3
ii  python3-daemonize          2.4.7-4
ii  python3-distutils          3.8.2-2
ii  python3-frozendict         1.2-2
ii  python3-idna               2.8-1
ii  python3-jinja2             2.10.1-2
ii  python3-jsonschema         3.0.2-4
ii  python3-lxml               4.5.0-1
ii  python3-msgpack            0.6.2-1
ii  python3-nacl               1.3.0-5
ii  python3-netaddr            0.7.19-4
ii  python3-openssl            19.0.0-1
ii  python3-phonenumbers       8.9.10-2
ii  python3-pil                6.2.1-2+b1
ii  python3-prometheus-client  0.7.1-1.1
ii  python3-pyasn1             0.4.2-3
ii  python3-pyasn1-modules     0.2.1-0.2
ii  python3-pymacaroons        0.13.0-3
ii  python3-service-identity   18.1.0-5
ii  python3-signedjson         1.1.0-1
ii  python3-six                1.14.0-2
ii  python3-sortedcontainers   2.1.0-2
ii  python3-systemd            234-3+b1
ii  python3-treq               18.6.0-0.2
ii  python3-twisted            18.9.0-8
ii  python3-typing-extensions  3.7.4.1-1
ii  python3-unpaddedbase64     1.1.0-5
ii  python3-yaml               5.3.1-1

Versions of packages matrix-synapse recommends:
ii  python3-psycopg2  2.8.4-2

Versions of packages matrix-synapse suggests:
pn  python3-txacme  <none>

-- Configuration Files:
/etc/matrix-synapse/homeserver.yaml changed [not included]

-- debconf information excluded

More information about the Pkg-matrix-maintainers mailing list