add chronyd-restricted service for minimal NTP client configurations

2023-01-25 15:16:13 +01:00 · 2023-01-25 15:16:13 +01:00 · 906e072deb
commit 906e072deb
parent 95d7d27489
2 changed files with 88 additions and 3 deletions
--- a/chrony-restricted.patch
+++ b/chrony-restricted.patch
@ -0,0 +1,79 @@
+commit 6fba5a4a7fbe785849c0ec759e18bce0b7e234e4
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Date:   Tue Jan 10 15:02:49 2023 +0100
+
+    examples: add chronyd-restricted.service
+    
+    This is a more restricted version of the chronyd service intended for
+    minimal NTP/NTS client configurations. The daemon is started without
+    root privileges and is allowed to write only to its own runtime, state,
+    and log directories. It cannot bind to privileged ports in order to
+    operate as an NTP server, or provide monitoring access over IPv4/IPv6.
+    It cannot use reference clocks, HW timestamping, RTC tracking, and other
+    features.
+
+diff --git a/examples/chronyd-restricted.service b/examples/chronyd-restricted.service
+new file mode 100644
+index 00000000..50998338
+--- /dev/null
+++ b/examples/chronyd-restricted.service
+@@ -0,0 +1,59 @@
+# This is a more restricted version of the chronyd service intended for
+# minimal NTP/NTS client configurations. The daemon is started without root
+# privileges and is allowed to write only to its own runtime, state, and log
+# directories. It cannot bind to privileged ports in order to operate as an
+# NTP server, or provide monitoring access over IPv4/IPv6. It cannot use
+# reference clocks, HW timestamping, RTC tracking, and other features.
+[Unit]
+Description=NTP client (restricted)
+Documentation=man:chronyd(8) man:chrony.conf(5)
+After=chronyd.service ntpdate.service sntp.service ntpd.service
+Conflicts=chronyd.service ntpd.service systemd-timesyncd.service
+ConditionCapability=CAP_SYS_TIME
+
+[Service]
+Type=forking
+PIDFile=/run/chrony/chronyd.pid
+EnvironmentFile=-/etc/sysconfig/chronyd
+ExecStart=/usr/sbin/chronyd -U $OPTIONS
+
+User=chrony
+LogsDirectory=chrony
+LogsDirectoryMode=0750
+RuntimeDirectory=chrony
+RuntimeDirectoryMode=0750
+RuntimeDirectoryPreserve=restart
+StateDirectory=chrony
+StateDirectoryMode=0750
+
+AmbientCapabilities=CAP_SYS_TIME
+CapabilityBoundingSet=CAP_SYS_TIME
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+# This breaks adjtimex()
+#PrivateUsers=yes
+ProcSubset=pid
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io
+SystemCallFilter=~@reboot @resources @swap
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target
--- a/chrony.spec
+++ b/chrony.spec
@ -25,6 +25,8 @@ Source10:       https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c

 # add distribution-specific bits to DHCP dispatcher
 Patch1:         chrony-nm-dispatcher-dhcp.patch
+# add chronyd-restricted service
+Patch2:         chrony-restricted.patch

 BuildRequires:  libcap-devel libedit-devel nettle-devel pps-tools-devel
 BuildRequires:  gcc gcc-c++ make bison systemd gnupg2
@ -56,6 +58,7 @@ service to other computers in the network.
 %setup -q -n %{name}-%{version}%{?prerelease} -a 10
 %{?gitpatch:%patch0 -p1}
 %patch1 -p1 -b .nm-dispatcher-dhcp
+%patch2 -p1 -b .restricted

 %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}

@ -68,6 +71,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$')
        c3992e2f985550739cd1cd95f98c9548  examples/chrony.nm-dispatcher.dhcp
        2b81c60c020626165ac655b2633608eb  examples/chrony.nm-dispatcher.onoffline
        677ad16d6439daa369da44a1b75d1772  examples/chronyd.service
+        f092f965dc61f691ca838958eeeb3377  examples/chronyd-restricted.service
 EOF

 # don't allow packaging without vendor zone
@ -130,6 +134,8 @@ install -m 644 -p examples/chrony.logrotate \

 install -m 644 -p examples/chronyd.service \
        $RPM_BUILD_ROOT%{_unitdir}/chronyd.service
+install -m 644 -p examples/chronyd-restricted.service \
+        $RPM_BUILD_ROOT%{_unitdir}/chronyd-restricted.service
 install -m 755 -p examples/chrony.nm-dispatcher.onoffline \
        $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-onoffline
 install -m 755 -p examples/chrony.nm-dispatcher.dhcp \
@ -169,13 +175,13 @@ if test -a %{_libexecdir}/chrony-helper; then
                sed 's|.*|server &|' < $f > /run/chrony-dhcp/"${f##*servers.}.sources"
        done 2> /dev/null
 fi
-%systemd_post chronyd.service chrony-wait.service
+%systemd_post chronyd.service chronyd-restricted.service chrony-wait.service

 %preun
-%systemd_preun chronyd.service chrony-wait.service
+%systemd_preun chronyd.service chronyd-restricted.service chrony-wait.service

 %postun
-%systemd_postun_with_restart chronyd.service
+%systemd_postun_with_restart chronyd.service chronyd-restricted.service

 %files
 %{!?_licensedir:%global license %%doc}