docs icon indicating copy to clipboard operation
docs copied to clipboard
verified publisher icon mautrix

Add hardening options to systemd unit

Open erdnaxe opened this issue 3 years ago • 1 comments

These options increase the isolation of mautrix-* system services.

I have been using these options with mautrix-telegram without any issue (on NixOS 21.11).

I am not setting SystemCallFilter as it might cause issue with old systemd distributions such as Ubuntu 18.04. I am not setting DeviceAllow, PrivateDevices, PrivateUsers, RestrictAddressFamilies and UMask as I have not enough knowledge about how other mautrix bridges could behave.

Thanks,

erdnaxe avatar Jan 24 '22 14:01 erdnaxe

ProtectSystem = strict mounts the whole file system as read only. This only works if you disable logging of your bridge - which is not the default. Hence a service with your proposed configuration refuses to start.

One solution is to add a BindPaths setting like BindPaths = /opt/mautrix-telegram/mautrix-telegram.log.

kidhab avatar Jun 11 '22 08:06 kidhab