chg: fix linter warning :

remove signald service, harden systemd.service file, listen only on localhost in config.yaml

conf/config.yaml

@@ -31,7 +31,7 @@ appservice:
     address: http://localhost:__PORT__
 
     # The hostname and port where this appservice should listen.
-    hostname: 0.0.0.0
+    hostname: localhost
     port: __PORT__
 
     # Database config.

conf/signald.service

@@ -1,21 +0,0 @@
-[Unit]
-Description=A daemon for interacting with the Signal Private Messenger
-Wants=network.target
-After=network.target
-
-[Service]
-Type=simple
-RuntimeDirectory=signald
-RuntimeDirectoryMode=0770
-User=__SIGNALD_USER__
-Group=__SIGNALD_USER__
-#ExecStart=/usr/bin/signald -d /var/lib/signald
-ExecStart=__SIGNALD_PATH__/build/install/signald/bin/signald -d /var/lib/signald
-EnvironmentFile=-/etc/default/signald
-Restart=on-failure
-UMask=0007
-# JVM always exits with 143 in reaction to SIGTERM signal
-SuccessExitStatus=143
-
-[Install]
-WantedBy=default.target

conf/systemd.service

@@ -9,5 +9,39 @@ Group=__APP__
 WorkingDirectory=__INSTALL_DIR__/
 ExecStart=__INSTALL_DIR__/mautrix-signal
 
+### Depending on specificities of your service/app, you may need to tweak these
+### .. but this should be a good baseline
+# Sandboxing options to harden security
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectClock=yes
+ProtectHostname=yes
+ProtectProc=invisible
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
 [Install]
 WantedBy=multi-user.target