[Service]
# The following directives give the synapse service R/W access to:
# - /var/lib/matrix-synapse
# - /var/log/matrix-synapse

StateDirectory=matrix-synapse
LogsDirectory=matrix-synapse

######################
## Security Sandbox ##
######################

# Make sure that the service has its own unshared tmpfs at /tmp and that it
# cannot see or change any real devices
PrivateTmp=true
PrivateDevices=true

# We give no capabilities to a service by default
#CapabilityBoundingSet=
#AmbientCapabilities=

# Protect the following from modification:
# - The entire filesystem
# - sysctl settings and loaded kernel modules
# - No modifications allowed to Control Groups
# - Hostname
# - System Clock
ProtectSystem=strict
ProtectKernelTunables=true