2023-08-25 16:17:37 -04:00
|
|
|
[Service]
|
2023-09-08 17:38:07 -04:00
|
|
|
User=matrix-synapse
|
|
|
|
|
Group=matrix-synapse
|
|
|
|
|
ExecStartPost=/usr/bin/chgrp matrix-synapse-socket /var/lib/matrix-synapse/matrix-synapse.sock
|
|
|
|
|
|
2023-08-25 16:17:37 -04:00
|
|
|
# The following directives give the synapse service R/W access to:
|
|
|
|
|
# - /var/lib/matrix-synapse
|
|
|
|
|
# - /var/log/matrix-synapse
|
|
|
|
|
|
|
|
|
|
StateDirectory=matrix-synapse
|
|
|
|
|
LogsDirectory=matrix-synapse
|
|
|
|
|
|
|
|
|
|
######################
|
|
|
|
|
## Security Sandbox ##
|
|
|
|
|
######################
|
|
|
|
|
|
|
|
|
|
# Make sure that the service has its own unshared tmpfs at /tmp and that it
|
|
|
|
|
# cannot see or change any real devices
|
|
|
|
|
PrivateTmp=true
|
|
|
|
|
PrivateDevices=true
|
|
|
|
|
|
|
|
|
|
# We give no capabilities to a service by default
|
|
|
|
|
#CapabilityBoundingSet=
|
|
|
|
|
#AmbientCapabilities=
|
|
|
|
|
|
|
|
|
|
# Protect the following from modification:
|
|
|
|
|
# - The entire filesystem
|
|
|
|
|
# - sysctl settings and loaded kernel modules
|
|
|
|
|
# - No modifications allowed to Control Groups
|
|
|
|
|
# - Hostname
|
|
|
|
|
# - System Clock
|
|
|
|
|
ProtectSystem=strict
|
2023-09-08 17:38:07 -04:00
|
|
|
ProtectKernelTunables=true
|
