2022-09-27 19:55:09 +00:00
|
|
|
diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service
|
|
|
|
index 72b028f2..b3aa7aa2 100644
|
|
|
|
--- a/examples/chrony-wait.service
|
|
|
|
+++ b/examples/chrony-wait.service
|
2024-03-27 19:28:47 +00:00
|
|
|
@@ -16,31 +16,5 @@ TimeoutStartSec=180
|
2022-09-27 19:55:09 +00:00
|
|
|
RemainAfterExit=yes
|
|
|
|
StandardOutput=null
|
|
|
|
|
|
|
|
-CapabilityBoundingSet=
|
|
|
|
-DevicePolicy=closed
|
|
|
|
-DynamicUser=yes
|
|
|
|
-IPAddressAllow=localhost
|
|
|
|
-IPAddressDeny=any
|
|
|
|
-LockPersonality=yes
|
|
|
|
-MemoryDenyWriteExecute=yes
|
|
|
|
-PrivateDevices=yes
|
|
|
|
-PrivateUsers=yes
|
|
|
|
-ProtectClock=yes
|
|
|
|
-ProtectControlGroups=yes
|
|
|
|
-ProtectHome=yes
|
|
|
|
-ProtectHostname=yes
|
|
|
|
-ProtectKernelLogs=yes
|
|
|
|
-ProtectKernelModules=yes
|
|
|
|
-ProtectKernelTunables=yes
|
|
|
|
-ProtectProc=invisible
|
|
|
|
-ProtectSystem=strict
|
|
|
|
-RestrictAddressFamilies=AF_INET AF_INET6
|
|
|
|
-RestrictNamespaces=yes
|
|
|
|
-RestrictRealtime=yes
|
|
|
|
-SystemCallArchitectures=native
|
|
|
|
-SystemCallFilter=@system-service
|
|
|
|
-SystemCallFilter=~@privileged @resources
|
|
|
|
-UMask=0777
|
|
|
|
-
|
|
|
|
[Install]
|
|
|
|
WantedBy=multi-user.target
|
|
|
|
diff --git a/examples/chronyd.service b/examples/chronyd.service
|
|
|
|
index 4fb930ef..289548cb 100644
|
|
|
|
--- a/examples/chronyd.service
|
|
|
|
+++ b/examples/chronyd.service
|
2024-03-27 19:28:47 +00:00
|
|
|
@@ -10,39 +10,9 @@ Type=forking
|
2022-09-27 19:55:09 +00:00
|
|
|
PIDFile=/run/chrony/chronyd.pid
|
|
|
|
EnvironmentFile=-/etc/sysconfig/chronyd
|
|
|
|
ExecStart=/usr/sbin/chronyd $OPTIONS
|
|
|
|
-
|
|
|
|
-CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
|
|
|
|
-CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
|
|
|
|
-CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
|
|
|
|
-CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
|
|
|
|
-CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
|
|
|
|
-DeviceAllow=char-pps rw
|
|
|
|
-DeviceAllow=char-ptp rw
|
|
|
|
-DeviceAllow=char-rtc rw
|
|
|
|
-DevicePolicy=closed
|
|
|
|
-LockPersonality=yes
|
|
|
|
-MemoryDenyWriteExecute=yes
|
|
|
|
-NoNewPrivileges=yes
|
|
|
|
PrivateTmp=yes
|
|
|
|
-ProtectControlGroups=yes
|
|
|
|
ProtectHome=yes
|
|
|
|
-ProtectHostname=yes
|
|
|
|
-ProtectKernelLogs=yes
|
|
|
|
-ProtectKernelModules=yes
|
|
|
|
-ProtectKernelTunables=yes
|
|
|
|
-ProtectProc=invisible
|
|
|
|
-ProtectSystem=strict
|
|
|
|
-ReadWritePaths=/run /var/lib/chrony -/var/log
|
|
|
|
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
|
|
|
-RestrictNamespaces=yes
|
|
|
|
-RestrictSUIDSGID=yes
|
|
|
|
-SystemCallArchitectures=native
|
|
|
|
-SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
|
|
|
|
-
|
|
|
|
-# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
|
|
|
|
-NoNewPrivileges=no
|
|
|
|
-ReadWritePaths=-/var/spool
|
|
|
|
-RestrictAddressFamilies=AF_NETLINK
|
|
|
|
+ProtectSystem=full
|
|
|
|
|
|
|
|
[Install]
|
|
|
|
WantedBy=multi-user.target
|