chrony/SOURCES/chrony-services.patch

82 lines
2.4 KiB
Diff
Raw Permalink Normal View History

2022-09-27 19:55:09 +00:00
diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service
index 72b028f2..b3aa7aa2 100644
--- a/examples/chrony-wait.service
+++ b/examples/chrony-wait.service
2024-03-27 19:28:47 +00:00
@@ -16,31 +16,5 @@ TimeoutStartSec=180
2022-09-27 19:55:09 +00:00
RemainAfterExit=yes
StandardOutput=null
-CapabilityBoundingSet=
-DevicePolicy=closed
-DynamicUser=yes
-IPAddressAllow=localhost
-IPAddressDeny=any
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-PrivateDevices=yes
-PrivateUsers=yes
-ProtectClock=yes
-ProtectControlGroups=yes
-ProtectHome=yes
-ProtectHostname=yes
-ProtectKernelLogs=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-ProtectProc=invisible
-ProtectSystem=strict
-RestrictAddressFamilies=AF_INET AF_INET6
-RestrictNamespaces=yes
-RestrictRealtime=yes
-SystemCallArchitectures=native
-SystemCallFilter=@system-service
-SystemCallFilter=~@privileged @resources
-UMask=0777
-
[Install]
WantedBy=multi-user.target
diff --git a/examples/chronyd.service b/examples/chronyd.service
index 4fb930ef..289548cb 100644
--- a/examples/chronyd.service
+++ b/examples/chronyd.service
2024-03-27 19:28:47 +00:00
@@ -10,39 +10,9 @@ Type=forking
2022-09-27 19:55:09 +00:00
PIDFile=/run/chrony/chronyd.pid
EnvironmentFile=-/etc/sysconfig/chronyd
ExecStart=/usr/sbin/chronyd $OPTIONS
-
-CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
-CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
-CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
-CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
-CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
-DeviceAllow=char-pps rw
-DeviceAllow=char-ptp rw
-DeviceAllow=char-rtc rw
-DevicePolicy=closed
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateTmp=yes
-ProtectControlGroups=yes
ProtectHome=yes
-ProtectHostname=yes
-ProtectKernelLogs=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-ProtectProc=invisible
-ProtectSystem=strict
-ReadWritePaths=/run /var/lib/chrony -/var/log
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
-RestrictNamespaces=yes
-RestrictSUIDSGID=yes
-SystemCallArchitectures=native
-SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
-
-# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
-NoNewPrivileges=no
-ReadWritePaths=-/var/spool
-RestrictAddressFamilies=AF_NETLINK
+ProtectSystem=full
[Install]
WantedBy=multi-user.target