enable seccomp filter by default

Add -F 2 to default /etc/sysconfig/chronyd to enable a filter blocking a small number of specific system calls. The filter is incompatible with the mailonchange directive.
2021-05-13 16:39:42 +02:00 · 2021-05-13 16:39:42 +02:00 · eeffcafda9
commit eeffcafda9
parent c6a8172473
1 changed files with 1 additions and 1 deletions
--- a/chrony.spec
+++ b/chrony.spec
@ -138,7 +138,7 @@ install -m 644 -p examples/chrony-wait.service \

 cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd <<EOF
 # Command-line options for chronyd
-OPTIONS=""
+OPTIONS="%{?with_seccomp:-F 2}"
 EOF

 touch $RPM_BUILD_ROOT%{_localstatedir}/lib/chrony/{drift,rtc}