From eeffcafda90476da2600f66fa5cd1ac5d5bacebb Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Thu, 13 May 2021 16:39:42 +0200
Subject: [PATCH] enable seccomp filter by default

Add -F 2 to default /etc/sysconfig/chronyd to enable a filter blocking a
small number of specific system calls. The filter is incompatible with
the mailonchange directive.
---
 chrony.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/chrony.spec b/chrony.spec
index 0862235..47508e5 100644
--- a/chrony.spec
+++ b/chrony.spec
@@ -138,7 +138,7 @@ install -m 644 -p examples/chrony-wait.service \
 
 cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd <<EOF
 # Command-line options for chronyd
-OPTIONS=""
+OPTIONS="%{?with_seccomp:-F 2}"
 EOF
 
 touch $RPM_BUILD_ROOT%{_localstatedir}/lib/chrony/{drift,rtc}