From e5c80e8af37b0fda66b09172303dd5cbdaff240c Mon Sep 17 00:00:00 2001
From: James Valleroy <jvalleroy@mailbox.org>
Date: Sat, 1 Feb 2020 18:05:22 -0500
Subject: [PATCH] matrixsynapse: Enable systemd sandboxing

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 .../matrix-synapse.service.d/freedombox.conf    | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 plinth/modules/matrixsynapse/data/lib/systemd/system/matrix-synapse.service.d/freedombox.conf

diff --git a/plinth/modules/matrixsynapse/data/lib/systemd/system/matrix-synapse.service.d/freedombox.conf b/plinth/modules/matrixsynapse/data/lib/systemd/system/matrix-synapse.service.d/freedombox.conf
new file mode 100644
index 000000000..c87b0c250
--- /dev/null
+++ b/plinth/modules/matrixsynapse/data/lib/systemd/system/matrix-synapse.service.d/freedombox.conf
@@ -0,0 +1,17 @@
+[Service]
+ConfigurationDirectory=matrix-synapse
+LockPersonality=yes
+LogsDirectory=matrix-synapse
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictRealtime=yes
+StateDirectory=matrix-synapse
+SystemCallArchitectures=native