80 lines
2.6 KiB
Diff
80 lines
2.6 KiB
Diff
|
commit 6fba5a4a7fbe785849c0ec759e18bce0b7e234e4
|
||
|
Author: Miroslav Lichvar <mlichvar@redhat.com>
|
||
|
Date: Tue Jan 10 15:02:49 2023 +0100
|
||
|
|
||
|
examples: add chronyd-restricted.service
|
||
|
|
||
|
This is a more restricted version of the chronyd service intended for
|
||
|
minimal NTP/NTS client configurations. The daemon is started without
|
||
|
root privileges and is allowed to write only to its own runtime, state,
|
||
|
and log directories. It cannot bind to privileged ports in order to
|
||
|
operate as an NTP server, or provide monitoring access over IPv4/IPv6.
|
||
|
It cannot use reference clocks, HW timestamping, RTC tracking, and other
|
||
|
features.
|
||
|
|
||
|
diff --git a/examples/chronyd-restricted.service b/examples/chronyd-restricted.service
|
||
|
new file mode 100644
|
||
|
index 00000000..50998338
|
||
|
--- /dev/null
|
||
|
+++ b/examples/chronyd-restricted.service
|
||
|
@@ -0,0 +1,59 @@
|
||
|
+# This is a more restricted version of the chronyd service intended for
|
||
|
+# minimal NTP/NTS client configurations. The daemon is started without root
|
||
|
+# privileges and is allowed to write only to its own runtime, state, and log
|
||
|
+# directories. It cannot bind to privileged ports in order to operate as an
|
||
|
+# NTP server, or provide monitoring access over IPv4/IPv6. It cannot use
|
||
|
+# reference clocks, HW timestamping, RTC tracking, and other features.
|
||
|
+[Unit]
|
||
|
+Description=NTP client (restricted)
|
||
|
+Documentation=man:chronyd(8) man:chrony.conf(5)
|
||
|
+After=chronyd.service ntpdate.service sntp.service ntpd.service
|
||
|
+Conflicts=chronyd.service ntpd.service systemd-timesyncd.service
|
||
|
+ConditionCapability=CAP_SYS_TIME
|
||
|
+
|
||
|
+[Service]
|
||
|
+Type=forking
|
||
|
+PIDFile=/run/chrony/chronyd.pid
|
||
|
+EnvironmentFile=-/etc/sysconfig/chronyd
|
||
|
+ExecStart=/usr/sbin/chronyd -U $OPTIONS
|
||
|
+
|
||
|
+User=chrony
|
||
|
+LogsDirectory=chrony
|
||
|
+LogsDirectoryMode=0750
|
||
|
+RuntimeDirectory=chrony
|
||
|
+RuntimeDirectoryMode=0750
|
||
|
+RuntimeDirectoryPreserve=restart
|
||
|
+StateDirectory=chrony
|
||
|
+StateDirectoryMode=0750
|
||
|
+
|
||
|
+AmbientCapabilities=CAP_SYS_TIME
|
||
|
+CapabilityBoundingSet=CAP_SYS_TIME
|
||
|
+DevicePolicy=closed
|
||
|
+LockPersonality=yes
|
||
|
+MemoryDenyWriteExecute=yes
|
||
|
+NoNewPrivileges=yes
|
||
|
+PrivateDevices=yes
|
||
|
+PrivateTmp=yes
|
||
|
+# This breaks adjtimex()
|
||
|
+#PrivateUsers=yes
|
||
|
+ProcSubset=pid
|
||
|
+ProtectControlGroups=yes
|
||
|
+ProtectHome=yes
|
||
|
+ProtectHostname=yes
|
||
|
+ProtectKernelLogs=yes
|
||
|
+ProtectKernelModules=yes
|
||
|
+ProtectKernelTunables=yes
|
||
|
+ProtectProc=invisible
|
||
|
+ProtectSystem=strict
|
||
|
+RemoveIPC=yes
|
||
|
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||
|
+RestrictNamespaces=yes
|
||
|
+RestrictRealtime=yes
|
||
|
+RestrictSUIDSGID=yes
|
||
|
+SystemCallArchitectures=native
|
||
|
+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io
|
||
|
+SystemCallFilter=~@reboot @resources @swap
|
||
|
+UMask=0077
|
||
|
+
|
||
|
+[Install]
|
||
|
+WantedBy=multi-user.target
|