|
|
9f7b83 |
diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service
|
|
|
9f7b83 |
index 72b028f2..b3aa7aa2 100644
|
|
|
9f7b83 |
--- a/examples/chrony-wait.service
|
|
|
9f7b83 |
+++ b/examples/chrony-wait.service
|
|
|
9f7b83 |
@@ -16,32 +16,5 @@ TimeoutStartSec=180
|
|
|
9f7b83 |
RemainAfterExit=yes
|
|
|
9f7b83 |
StandardOutput=null
|
|
|
9f7b83 |
|
|
|
9f7b83 |
-CapabilityBoundingSet=
|
|
|
9f7b83 |
-DevicePolicy=closed
|
|
|
9f7b83 |
-DynamicUser=yes
|
|
|
9f7b83 |
-IPAddressAllow=localhost
|
|
|
9f7b83 |
-IPAddressDeny=any
|
|
|
9f7b83 |
-LockPersonality=yes
|
|
|
9f7b83 |
-MemoryDenyWriteExecute=yes
|
|
|
9f7b83 |
-PrivateDevices=yes
|
|
|
9f7b83 |
-PrivateUsers=yes
|
|
|
9f7b83 |
-ProcSubset=pid
|
|
|
9f7b83 |
-ProtectClock=yes
|
|
|
9f7b83 |
-ProtectControlGroups=yes
|
|
|
9f7b83 |
-ProtectHome=yes
|
|
|
9f7b83 |
-ProtectHostname=yes
|
|
|
9f7b83 |
-ProtectKernelLogs=yes
|
|
|
9f7b83 |
-ProtectKernelModules=yes
|
|
|
9f7b83 |
-ProtectKernelTunables=yes
|
|
|
9f7b83 |
-ProtectProc=invisible
|
|
|
9f7b83 |
-ProtectSystem=strict
|
|
|
9f7b83 |
-RestrictAddressFamilies=AF_INET AF_INET6
|
|
|
9f7b83 |
-RestrictNamespaces=yes
|
|
|
9f7b83 |
-RestrictRealtime=yes
|
|
|
9f7b83 |
-SystemCallArchitectures=native
|
|
|
9f7b83 |
-SystemCallFilter=@system-service
|
|
|
9f7b83 |
-SystemCallFilter=~@privileged @resources
|
|
|
9f7b83 |
-UMask=0777
|
|
|
9f7b83 |
-
|
|
|
9f7b83 |
[Install]
|
|
|
9f7b83 |
WantedBy=multi-user.target
|
|
|
9f7b83 |
diff --git a/examples/chronyd.service b/examples/chronyd.service
|
|
|
9f7b83 |
index 4fb930ef..289548cb 100644
|
|
|
9f7b83 |
--- a/examples/chronyd.service
|
|
|
9f7b83 |
+++ b/examples/chronyd.service
|
|
|
9f7b83 |
@@ -10,40 +10,9 @@ Type=forking
|
|
|
9f7b83 |
PIDFile=/run/chrony/chronyd.pid
|
|
|
9f7b83 |
EnvironmentFile=-/etc/sysconfig/chronyd
|
|
|
9f7b83 |
ExecStart=/usr/sbin/chronyd $OPTIONS
|
|
|
9f7b83 |
-
|
|
|
9f7b83 |
-CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
|
|
|
9f7b83 |
-CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
|
|
|
9f7b83 |
-CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
|
|
|
9f7b83 |
-CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
|
|
|
9f7b83 |
-CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
|
|
|
9f7b83 |
-DeviceAllow=char-pps rw
|
|
|
9f7b83 |
-DeviceAllow=char-ptp rw
|
|
|
9f7b83 |
-DeviceAllow=char-rtc rw
|
|
|
9f7b83 |
-DevicePolicy=closed
|
|
|
9f7b83 |
-LockPersonality=yes
|
|
|
9f7b83 |
-MemoryDenyWriteExecute=yes
|
|
|
9f7b83 |
-NoNewPrivileges=yes
|
|
|
9f7b83 |
PrivateTmp=yes
|
|
|
9f7b83 |
-ProcSubset=pid
|
|
|
9f7b83 |
-ProtectControlGroups=yes
|
|
|
9f7b83 |
ProtectHome=yes
|
|
|
9f7b83 |
-ProtectHostname=yes
|
|
|
9f7b83 |
-ProtectKernelLogs=yes
|
|
|
9f7b83 |
-ProtectKernelModules=yes
|
|
|
9f7b83 |
-ProtectKernelTunables=yes
|
|
|
9f7b83 |
-ProtectProc=invisible
|
|
|
9f7b83 |
-ProtectSystem=strict
|
|
|
9f7b83 |
-ReadWritePaths=/run /var/lib/chrony -/var/log
|
|
|
9f7b83 |
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
|
|
9f7b83 |
-RestrictNamespaces=yes
|
|
|
9f7b83 |
-RestrictSUIDSGID=yes
|
|
|
9f7b83 |
-SystemCallArchitectures=native
|
|
|
9f7b83 |
-SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
|
|
|
9f7b83 |
-
|
|
|
9f7b83 |
-# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
|
|
|
9f7b83 |
-NoNewPrivileges=no
|
|
|
9f7b83 |
-ReadWritePaths=-/var/spool
|
|
|
9f7b83 |
-RestrictAddressFamilies=AF_NETLINK
|
|
|
9f7b83 |
+ProtectSystem=full
|
|
|
9f7b83 |
|
|
|
9f7b83 |
[Install]
|
|
|
9f7b83 |
WantedBy=multi-user.target
|