diff --git a/chrony-services.patch b/chrony-services.patch new file mode 100644 index 0000000..94af6fd --- /dev/null +++ b/chrony-services.patch @@ -0,0 +1,120 @@ +commit 83f96efdfd2d42a8de51ac3b05120acf5292bb00 +Author: Miroslav Lichvar +Date: Wed Sep 29 15:25:48 2021 +0200 + + examples: harden systemd services + + Add various settings to the example chronyd and chrony-wait services to + decrease the exposure reported by the "systemd-analyze security" + command. The original exposure was high as the analyzer does not check + the actual process (e.g. that it dropped the root privileges or that it + has its own seccomp filter). + + Limit read-write access to /run, /var/lib/chrony, and /var/spool. + Access to /run (instead of /run/chrony) is needed for the refclock + socket expected by gpsd. + + The mailonchange directive is most likely to break as it executes + /usr/sbin/sendmail, which can do unexpected operations depending on the + implementation. It should work with a setuid/setgid binary, but it is + not expected to write outside of /var/spool and the private /tmp. + +diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service +index b3aa7aa2..72b028f2 100644 +--- a/examples/chrony-wait.service ++++ b/examples/chrony-wait.service +@@ -16,5 +16,32 @@ TimeoutStartSec=180 + RemainAfterExit=yes + StandardOutput=null + ++CapabilityBoundingSet= ++DevicePolicy=closed ++DynamicUser=yes ++IPAddressAllow=localhost ++IPAddressDeny=any ++LockPersonality=yes ++MemoryDenyWriteExecute=yes ++PrivateDevices=yes ++PrivateUsers=yes ++ProcSubset=pid ++ProtectClock=yes ++ProtectControlGroups=yes ++ProtectHome=yes ++ProtectHostname=yes ++ProtectKernelLogs=yes ++ProtectKernelModules=yes ++ProtectKernelTunables=yes ++ProtectProc=invisible ++ProtectSystem=strict ++RestrictAddressFamilies=AF_INET AF_INET6 ++RestrictNamespaces=yes ++RestrictRealtime=yes ++SystemCallArchitectures=native ++SystemCallFilter=@system-service ++SystemCallFilter=~@privileged @resources ++UMask=0777 ++ + [Install] + WantedBy=multi-user.target +diff --git a/examples/chronyd.service b/examples/chronyd.service +index 289548cb..2cac6026 100644 +--- a/examples/chronyd.service ++++ b/examples/chronyd.service +@@ -10,9 +10,40 @@ Type=forking + PIDFile=/run/chrony/chronyd.pid + EnvironmentFile=-/etc/sysconfig/chronyd + ExecStart=/usr/sbin/chronyd $OPTIONS ++ ++CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE ++CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE ++CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN ++CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT ++CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM ++DeviceAllow=char-pps rw ++DeviceAllow=char-ptp rw ++DeviceAllow=char-rtc rw ++DevicePolicy=closed ++LockPersonality=yes ++MemoryDenyWriteExecute=yes ++NoNewPrivileges=yes + PrivateTmp=yes ++ProcSubset=pid ++ProtectControlGroups=yes + ProtectHome=yes +-ProtectSystem=full ++ProtectHostname=yes ++ProtectKernelLogs=yes ++ProtectKernelModules=yes ++ProtectKernelTunables=yes ++ProtectProc=invisible ++ProtectSystem=strict ++ReadWritePaths=/run /var/lib/chrony ++RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX ++RestrictNamespaces=yes ++RestrictSUIDSGID=yes ++SystemCallArchitectures=native ++SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap ++ ++# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive) ++NoNewPrivileges=no ++ReadWritePaths=/var/spool ++RestrictAddressFamilies=AF_NETLINK + + [Install] + WantedBy=multi-user.target + +Avoid a SELinux issue + +diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service +index 72b028f2..57646950 100644 +--- a/examples/chrony-wait.service ++++ b/examples/chrony-wait.service +@@ -18,7 +18,7 @@ StandardOutput=null + + CapabilityBoundingSet= + DevicePolicy=closed +-DynamicUser=yes ++#DynamicUser=yes + IPAddressAllow=localhost + IPAddressDeny=any + LockPersonality=yes diff --git a/chrony.spec b/chrony.spec index 9ebf2c9..07e6b41 100644 --- a/chrony.spec +++ b/chrony.spec @@ -26,6 +26,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c Patch1: chrony-nm-dispatcher-dhcp.patch # update seccomp filter for new glibc Patch2: chrony-seccomp.patch +# harden chronyd and chrony-wait services +Patch3: chrony-services.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -58,18 +60,19 @@ service to other computers in the network. %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp %patch2 -p1 -b .seccomp +%patch3 -p1 -b .services %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') - bc563c1bcf67b2da774bd8c2aef55a06 examples/chrony-wait.service + 222e652b95027289877fa77146d3b9b1 examples/chrony-wait.service 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate a7054c9352c07384bd7ea0477e6e8a8c examples/chrony.nm-dispatcher.dhcp 8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline - 32c34c995c59fd1c3ad1616d063ae4a0 examples/chronyd.service + 76c8a32a5ac6692a7f15f65e2b5f3239 examples/chronyd.service EOF # don't allow packaging without vendor zone