add chronyd-restricted service for minimal NTP client configurations

chrony-restricted.patch

@@ -0,0 +1,79 @@
+commit 6fba5a4a7fbe785849c0ec759e18bce0b7e234e4
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Date:   Tue Jan 10 15:02:49 2023 +0100
+
+    examples: add chronyd-restricted.service
+    
+    This is a more restricted version of the chronyd service intended for
+    minimal NTP/NTS client configurations. The daemon is started without
+    root privileges and is allowed to write only to its own runtime, state,
+    and log directories. It cannot bind to privileged ports in order to
+    operate as an NTP server, or provide monitoring access over IPv4/IPv6.
+    It cannot use reference clocks, HW timestamping, RTC tracking, and other
+    features.
+
+diff --git a/examples/chronyd-restricted.service b/examples/chronyd-restricted.service
+new file mode 100644
+index 00000000..50998338
+--- /dev/null
++++ b/examples/chronyd-restricted.service
+@@ -0,0 +1,59 @@
++# This is a more restricted version of the chronyd service intended for
++# minimal NTP/NTS client configurations. The daemon is started without root
++# privileges and is allowed to write only to its own runtime, state, and log
++# directories. It cannot bind to privileged ports in order to operate as an
++# NTP server, or provide monitoring access over IPv4/IPv6. It cannot use
++# reference clocks, HW timestamping, RTC tracking, and other features.
++[Unit]
++Description=NTP client (restricted)
++Documentation=man:chronyd(8) man:chrony.conf(5)
++After=chronyd.service ntpdate.service sntp.service ntpd.service
++Conflicts=chronyd.service ntpd.service systemd-timesyncd.service
++ConditionCapability=CAP_SYS_TIME
++
++[Service]
++Type=forking
++PIDFile=/run/chrony/chronyd.pid
++EnvironmentFile=-/etc/sysconfig/chronyd
++ExecStart=/usr/sbin/chronyd -U $OPTIONS
++
++User=chrony
++LogsDirectory=chrony
++LogsDirectoryMode=0750
++RuntimeDirectory=chrony
++RuntimeDirectoryMode=0750
++RuntimeDirectoryPreserve=restart
++StateDirectory=chrony
++StateDirectoryMode=0750
++
++AmbientCapabilities=CAP_SYS_TIME
++CapabilityBoundingSet=CAP_SYS_TIME
++DevicePolicy=closed
++LockPersonality=yes
++MemoryDenyWriteExecute=yes
++NoNewPrivileges=yes
++PrivateDevices=yes
++PrivateTmp=yes
++# This breaks adjtimex()
++#PrivateUsers=yes
++ProcSubset=pid
++ProtectControlGroups=yes
++ProtectHome=yes
++ProtectHostname=yes
++ProtectKernelLogs=yes
++ProtectKernelModules=yes
++ProtectKernelTunables=yes
++ProtectProc=invisible
++ProtectSystem=strict
++RemoveIPC=yes
++RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
++RestrictNamespaces=yes
++RestrictRealtime=yes
++RestrictSUIDSGID=yes
++SystemCallArchitectures=native
++SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io
++SystemCallFilter=~@reboot @resources @swap
++UMask=0077
++
++[Install]
++WantedBy=multi-user.target

chrony.spec

@@ -25,6 +25,8 @@ Source10:       https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c
 
 # add distribution-specific bits to DHCP dispatcher
 Patch1:         chrony-nm-dispatcher-dhcp.patch
+# add chronyd-restricted service
+Patch2:         chrony-restricted.patch
 
 BuildRequires:  libcap-devel libedit-devel nettle-devel pps-tools-devel
 BuildRequires:  gcc gcc-c++ make bison systemd gnupg2
@@ -56,6 +58,7 @@ service to other computers in the network.
 %setup -q -n %{name}-%{version}%{?prerelease} -a 10
 %{?gitpatch:%patch0 -p1}
 %patch1 -p1 -b .nm-dispatcher-dhcp
+%patch2 -p1 -b .restricted
 
 %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
 
@@ -68,6 +71,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$')
         c3992e2f985550739cd1cd95f98c9548  examples/chrony.nm-dispatcher.dhcp
         2b81c60c020626165ac655b2633608eb  examples/chrony.nm-dispatcher.onoffline
         677ad16d6439daa369da44a1b75d1772  examples/chronyd.service
+        f092f965dc61f691ca838958eeeb3377  examples/chronyd-restricted.service
 EOF
 
 # don't allow packaging without vendor zone
@@ -130,6 +134,8 @@ install -m 644 -p examples/chrony.logrotate \
 
 install -m 644 -p examples/chronyd.service \
         $RPM_BUILD_ROOT%{_unitdir}/chronyd.service
+install -m 644 -p examples/chronyd-restricted.service \
+        $RPM_BUILD_ROOT%{_unitdir}/chronyd-restricted.service
 install -m 755 -p examples/chrony.nm-dispatcher.onoffline \
         $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-onoffline
 install -m 755 -p examples/chrony.nm-dispatcher.dhcp \
@@ -169,13 +175,13 @@ if test -a %{_libexecdir}/chrony-helper; then
                 sed 's|.*|server &|' < $f > /run/chrony-dhcp/"${f##*servers.}.sources"
         done 2> /dev/null
 fi
-%systemd_post chronyd.service chrony-wait.service
+%systemd_post chronyd.service chronyd-restricted.service chrony-wait.service
 
 %preun
-%systemd_preun chronyd.service chrony-wait.service
+%systemd_preun chronyd.service chronyd-restricted.service chrony-wait.service
 
 %postun
-%systemd_postun_with_restart chronyd.service
+%systemd_postun_with_restart chronyd.service chronyd-restricted.service
 
 %files
 %{!?_licensedir:%global license %%doc}