From b2d2d555a704148968cb7e566735a2a1b1a2f189 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Tue, 9 Apr 2024 14:48:01 +0200 Subject: Adding upstream version 4.5. Signed-off-by: Daniel Baumann --- examples/chrony-wait.service | 46 +++++ examples/chrony.conf.example1 | 12 ++ examples/chrony.conf.example2 | 47 +++++ examples/chrony.conf.example3 | 334 ++++++++++++++++++++++++++++++++ examples/chrony.keys.example | 15 ++ examples/chrony.logrotate | 8 + examples/chrony.nm-dispatcher.dhcp | 49 +++++ examples/chrony.nm-dispatcher.onoffline | 29 +++ examples/chronyd-restricted.service | 58 ++++++ examples/chronyd.service | 48 +++++ 10 files changed, 646 insertions(+) create mode 100644 examples/chrony-wait.service create mode 100644 examples/chrony.conf.example1 create mode 100644 examples/chrony.conf.example2 create mode 100644 examples/chrony.conf.example3 create mode 100644 examples/chrony.keys.example create mode 100644 examples/chrony.logrotate create mode 100644 examples/chrony.nm-dispatcher.dhcp create mode 100644 examples/chrony.nm-dispatcher.onoffline create mode 100644 examples/chronyd-restricted.service create mode 100644 examples/chronyd.service (limited to 'examples') diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service new file mode 100644 index 0000000..374f633 --- /dev/null +++ b/examples/chrony-wait.service @@ -0,0 +1,46 @@ +[Unit] +Description=Wait for chrony to synchronize system clock +Documentation=man:chronyc(1) +After=chronyd.service +Requires=chronyd.service +Before=time-sync.target +Wants=time-sync.target + +[Service] +Type=oneshot +# Wait for chronyd to update the clock and the remaining +# correction to be less than 0.1 seconds +ExecStart=/usr/bin/chronyc -h 127.0.0.1,::1 waitsync 0 0.1 0.0 1 +# Wait for at most 3 minutes +TimeoutStartSec=180 +RemainAfterExit=yes +StandardOutput=null + +CapabilityBoundingSet= +DevicePolicy=closed +DynamicUser=yes +IPAddressAllow=localhost +IPAddressDeny=any +LockPersonality=yes +MemoryDenyWriteExecute=yes +PrivateDevices=yes +PrivateUsers=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +UMask=0777 + +[Install] +WantedBy=multi-user.target diff --git a/examples/chrony.conf.example1 b/examples/chrony.conf.example1 new file mode 100644 index 0000000..5e93ea7 --- /dev/null +++ b/examples/chrony.conf.example1 @@ -0,0 +1,12 @@ +# Use public NTP servers from the pool.ntp.org project. +pool pool.ntp.org iburst + +# Record the rate at which the system clock gains/losses time. +driftfile /var/lib/chrony/drift + +# Allow the system clock to be stepped in the first three updates +# if its offset is larger than 1 second. +makestep 1.0 3 + +# Enable kernel synchronization of the real-time clock (RTC). +rtcsync diff --git a/examples/chrony.conf.example2 b/examples/chrony.conf.example2 new file mode 100644 index 0000000..bf2bbdd --- /dev/null +++ b/examples/chrony.conf.example2 @@ -0,0 +1,47 @@ +# Use public servers from the pool.ntp.org project. +# Please consider joining the pool (https://www.pool.ntp.org/join.html). +pool pool.ntp.org iburst + +# Record the rate at which the system clock gains/losses time. +driftfile /var/lib/chrony/drift + +# Allow the system clock to be stepped in the first three updates +# if its offset is larger than 1 second. +makestep 1.0 3 + +# Enable kernel synchronization of the real-time clock (RTC). +rtcsync + +# Enable hardware timestamping on all interfaces that support it. +#hwtimestamp * + +# Increase the minimum number of selectable sources required to adjust +# the system clock. +#minsources 2 + +# Allow NTP client access from local network. +#allow 192.168.0.0/16 + +# Serve time even if not synchronized to a time source. +#local stratum 10 + +# Require authentication (nts or key option) for all NTP sources. +#authselectmode require + +# Specify file containing keys for NTP authentication. +#keyfile /etc/chrony.keys + +# Save NTS keys and cookies. +ntsdumpdir /var/lib/chrony + +# Insert/delete leap seconds by slewing instead of stepping. +#leapsecmode slew + +# Get TAI-UTC offset and leap seconds from the system tz database. +#leapsectz right/UTC + +# Specify directory for log files. +logdir /var/log/chrony + +# Select which information is logged. +#log measurements statistics tracking diff --git a/examples/chrony.conf.example3 b/examples/chrony.conf.example3 new file mode 100644 index 0000000..6d84c01 --- /dev/null +++ b/examples/chrony.conf.example3 @@ -0,0 +1,334 @@ +####################################################################### +# +# This is an example chrony configuration file. You should copy it to +# /etc/chrony.conf after uncommenting and editing the options that you +# want to enable. The more obscure options are not included. Refer +# to the documentation for these. +# +####################################################################### +### COMMENTS +# Any of the following lines are comments (you have a choice of +# comment start character): +# a comment +% a comment +! a comment +; a comment +# +# Below, the '!' form is used for lines that you might want to +# uncomment and edit to make your own chrony.conf file. +# +####################################################################### +####################################################################### +### SPECIFY YOUR NTP SERVERS +# Most computers using chrony will send measurement requests to one or +# more 'NTP servers'. You will probably find that your Internet Service +# Provider or company have one or more NTP servers that you can specify. +# Failing that, there are a lot of public NTP servers. There is a list +# you can access at http://support.ntp.org/bin/view/Servers/WebHome or +# you can use servers from the pool.ntp.org project. + +! server ntp1.example.net iburst +! server ntp2.example.net iburst +! server ntp3.example.net iburst + +! pool pool.ntp.org iburst + +####################################################################### +### AVOIDING POTENTIALLY BOGUS CHANGES TO YOUR CLOCK +# +# To avoid changes being made to your computer's gain/loss compensation +# when the measurement history is too erratic, you might want to enable +# one of the following lines. The first seems good with servers on the +# Internet, the second seems OK for a LAN environment. + +! maxupdateskew 100 +! maxupdateskew 5 + +# If you want to increase the minimum number of selectable sources +# required to update the system clock in order to make the +# synchronisation more reliable, uncomment (and edit) the following +# line. + +! minsources 2 + +# If your computer has a good stable clock (e.g. it is not a virtual +# machine), you might also want to reduce the maximum assumed drift +# (frequency error) of the clock (the value is specified in ppm). + +! maxdrift 100 + +# By default, chronyd allows synchronisation to an unauthenticated NTP +# source (i.e. specified without the nts and key options) if it agrees with +# a majority of authenticated NTP sources, or if no authenticated source is +# specified. If you don't want chronyd to ever synchronise to an +# unauthenticated NTP source, uncomment the first from the following lines. +# If you don't want to synchronise to an unauthenticated NTP source only +# when an authenticated source is specified, uncomment the second line. +# If you want chronyd to ignore authentication in the source selection, +# uncomment the third line. + +! authselectmode require +! authselectmode prefer +! authselectmode ignore + +####################################################################### +### FILENAMES ETC +# Chrony likes to keep information about your computer's clock in files. +# The 'driftfile' stores the computer's clock gain/loss rate in parts +# per million. When chronyd starts, the system clock can be tuned +# immediately so that it doesn't gain or lose any more time. You +# generally want this, so it is uncommented. + +driftfile /var/lib/chrony/drift + +# If you want to enable NTP authentication with symmetric keys, you will need +# to uncomment the following line and edit the file to set up the keys. + +! keyfile /etc/chrony.keys + +# If you specify an NTP server with the nts option to enable authentication +# with the Network Time Security (NTS) mechanism, or enable server NTS with +# the ntsservercert and ntsserverkey directives below, the following line will +# allow the client/server to save the NTS keys and cookies in order to reduce +# the number of key establishments (NTS-KE sessions). + +ntsdumpdir /var/lib/chrony + +# If chronyd is configured to act as an NTP server and you want to enable NTS +# for its clients, you will need a TLS certificate and private key. Uncomment +# and edit the following lines to specify the locations of the certificate and +# key. + +! ntsservercert /etc/.../nts-server.crt +! ntsserverkey /etc/.../nts-server.key + +# chronyd can save the measurement history for the servers to files when +# it exits. This is useful in 2 situations: +# +# 1. If you stop chronyd and restart it with the '-r' option (e.g. after +# an upgrade), the old measurements will still be relevant when chronyd +# is restarted. This will reduce the time needed to get accurate +# gain/loss measurements. +# +# 2. On Linux, if you use the RTC support and start chronyd with +# '-r -s' on bootup, measurements from the last boot will still be +# useful (the real time clock is used to 'flywheel' chronyd between +# boots). +# +# Uncomment the following line to use this. + +! dumpdir /var/lib/chrony + +# chronyd writes its process ID to a file. If you try to start a second +# copy of chronyd, it will detect that the process named in the file is +# still running and bail out. If you want to change the path to the PID +# file, uncomment this line and edit it. The default path is shown. + +! pidfile /var/run/chrony/chronyd.pid + +# If the system timezone database is kept up to date and includes the +# right/UTC timezone, chronyd can use it to determine the current +# TAI-UTC offset and when will the next leap second occur. + +! leapsectz right/UTC + +####################################################################### +### INITIAL CLOCK CORRECTION +# This option is useful to quickly correct the clock on start if it's +# off by a large amount. The value '1.0' means that if the error is less +# than 1 second, it will be gradually removed by speeding up or slowing +# down your computer's clock until it is correct. If the error is above +# 1 second, an immediate time jump will be applied to correct it. The +# value '3' means the step is allowed only in the first three updates of +# the clock. Some software can get upset if the system clock jumps +# (especially backwards), so be careful! + +! makestep 1.0 3 + +####################################################################### +### LEAP SECONDS +# A leap second is an occasional one-second correction of the UTC +# time scale. By default, chronyd tells the kernel to insert/delete +# the leap second, which makes a backward/forward step to correct the +# clock for it. As with the makestep directive, this jump can upset +# some applications. If you prefer chronyd to make a gradual +# correction, causing the clock to be off for a longer time, uncomment +# the following line. + +! leapsecmode slew + +####################################################################### +### LOGGING +# If you want to log information about the time measurements chronyd has +# gathered, you might want to enable the following lines. You probably +# only need this if you really enjoy looking at the logs, you want to +# produce some graphs of your system's timekeeping performance, or you +# need help in debugging a problem. + +! logdir /var/log/chrony +! log measurements statistics tracking + +# If you have real time clock support enabled (see below), you might want +# this line instead: + +! log measurements statistics tracking rtc + +####################################################################### +### ACTING AS AN NTP SERVER +# You might want the computer to be an NTP server for other computers. +# +# By default, chronyd does not allow any clients to access it. You need +# to explicitly enable access using 'allow' and 'deny' directives. +# +# e.g. to enable client access from the 192.168.*.* class B subnet, + +! allow 192.168/16 + +# .. but disallow the 192.168.100.* subnet of that, + +! deny 192.168.100/24 + +# You can have as many allow and deny directives as you need. The order +# is unimportant. + +# If you want to present your computer's time for others to synchronise +# with, even if you don't seem to be synchronised to any NTP servers +# yourself, enable the following line. The value 10 may be varied +# between 1 and 15. You should avoid small values because you will look +# like a real NTP server. The value 10 means that you appear to be 10 +# NTP 'hops' away from an authoritative source (atomic clock, GPS +# receiver, radio clock etc). + +! local stratum 10 + +# Normally, chronyd will keep track of how many times each client +# machine accesses it. The information can be accessed by the 'clients' +# command of chronyc. You can disable this facility by uncommenting the +# following line. This will save a bit of memory if you have many +# clients and it will also disable support for the interleaved mode. + +! noclientlog + +# The clientlog size is limited to 512KB by default. If you have many +# clients, you might want to increase the limit. + +! clientloglimit 4194304 + +# By default, chronyd tries to respond to all valid NTP requests from +# allowed addresses. If you want to limit the response rate for NTP +# clients that are sending requests too frequently, uncomment and edit +# the following line. + +! ratelimit interval 3 burst 8 + +####################################################################### +### REPORTING BIG CLOCK CHANGES +# Perhaps you want to know if chronyd suddenly detects any large error +# in your computer's clock. This might indicate a fault or a problem +# with the server(s) you are using, for example. +# +# The next option causes a message to be written to syslog when chronyd +# has to correct an error above 0.5 seconds (you can use any amount you +# like). + +! logchange 0.5 + +# The next option will send email to the named person when chronyd has +# to correct an error above 0.5 seconds. (If you need to send mail to +# several people, you need to set up a mailing list or sendmail alias +# for them and use the address of that.) + +! mailonchange wibble@example.net 0.5 + +####################################################################### +### COMMAND ACCESS +# The program chronyc is used to show the current operation of chronyd +# and to change parts of its configuration whilst it is running. + +# By default chronyd binds to the loopback interface. Uncomment the +# following lines to allow receiving command packets from remote hosts. + +! bindcmdaddress 0.0.0.0 +! bindcmdaddress :: + +# Normally, chronyd will only allow connections from chronyc on the same +# machine as itself. This is for security. If you have a subnet +# 192.168.*.* and you want to be able to use chronyc from any machine on +# it, you could uncomment the following line. (Edit this to your own +# situation.) + +! cmdallow 192.168/16 + +# You can add as many 'cmdallow' and 'cmddeny' lines as you like. The +# syntax and meaning is the same as for 'allow' and 'deny', except that +# 'cmdallow' and 'cmddeny' control access to the chronyd's command port. + +# Rate limiting can be enabled also for command packets. (Note, +# commands from localhost are never limited.) + +! cmdratelimit interval -4 burst 16 + +####################################################################### +### HARDWARE TIMESTAMPING +# On Linux, if the network interface controller and its driver support +# hardware timestamping, it can significantly improve the accuracy of +# synchronisation. It can be enabled on specified interfaces only, or it +# can be enabled on all interfaces that support it. + +! hwtimestamp eth0 +! hwtimestamp * + +####################################################################### +### REAL TIME CLOCK +# chronyd can characterise the system's real-time clock. This is the +# clock that keeps running when the power is turned off, so that the +# machine knows the approximate time when it boots again. The error at +# a particular epoch and gain/loss rate can be written to a file and +# used later by chronyd when it is started with the '-s' option. +# +# You need to have 'enhanced RTC support' compiled into your Linux +# kernel. (Note, these options apply only to Linux.) + +! rtcfile /var/lib/chrony/rtc + +# Your RTC can be set to keep Universal Coordinated Time (UTC) or local +# time. (Local time means UTC +/- the effect of your timezone.) If you +# use UTC, chronyd will function correctly even if the computer is off +# at the epoch when you enter or leave summer time (aka daylight saving +# time). However, if you dual boot your system with Microsoft Windows, +# that will work better if your RTC maintains local time. You take your +# pick! + +! rtconutc + +# By default chronyd assumes that the enhanced RTC device is accessed as +# /dev/rtc. If it's accessed somewhere else on your system (e.g. you're +# using devfs), uncomment and edit the following line. + +! rtcdevice /dev/misc/rtc + +# Alternatively, if not using the -s option, this directive can be used +# to enable a mode in which the RTC is periodically set to the system +# time, with no tracking of its drift. + +! rtcsync + +####################################################################### +### REAL TIME SCHEDULER +# This directive tells chronyd to use the real-time FIFO scheduler with the +# specified priority (which must be between 0 and 100). This should result +# in reduced latency. You don't need it unless you really have a requirement +# for extreme clock stability. Works only on Linux. Note that the "-P" +# command-line switch will override this. + +! sched_priority 1 + +####################################################################### +### LOCKING CHRONYD INTO RAM +# This directive tells chronyd to use the mlockall() syscall to lock itself +# into RAM so that it will never be paged out. This should result in reduced +# latency. You don't need it unless you really have a requirement +# for extreme clock stability. Works only on Linux. Note that the "-m" +# command-line switch will also enable this feature. + +! lock_all diff --git a/examples/chrony.keys.example b/examples/chrony.keys.example new file mode 100644 index 0000000..05e720c --- /dev/null +++ b/examples/chrony.keys.example @@ -0,0 +1,15 @@ +# This is an example chrony keys file. It enables authentication of NTP +# packets with symmetric keys when its location is specified by the keyfile +# directive in chrony.conf(5). It should be readable only by root and the +# user under which chronyd is running. +# +# Don't use the example keys! It's recommended to generate random keys using +# the chronyc keygen command. + +# Examples of valid keys: + +#1 MD5 AVeryLongAndRandomPassword +#2 MD5 HEX:12114855C7931009B4049EF3EFC48A139C3F989F +#3 SHA1 HEX:B2159C05D6A219673A3B7E896B6DE07F6A440995 +#4 AES128 HEX:2DA837C4B6573748CA692B8C828E4891 +#5 AES256 HEX:2666B8099BFF2D5BA20876121788ED24D2BE59111B8FFB562F0F56AE6EC7246E diff --git a/examples/chrony.logrotate b/examples/chrony.logrotate new file mode 100644 index 0000000..2823a1a --- /dev/null +++ b/examples/chrony.logrotate @@ -0,0 +1,8 @@ +/var/log/chrony/*.log { + missingok + nocreate + sharedscripts + postrotate + /usr/bin/chronyc cyclelogs > /dev/null 2>&1 || true + endscript +} diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp new file mode 100644 index 0000000..547ce83 --- /dev/null +++ b/examples/chrony.nm-dispatcher.dhcp @@ -0,0 +1,49 @@ +#!/bin/sh +# This is a NetworkManager dispatcher script for chronyd to update +# its NTP sources with servers from DHCP options passed by NetworkManager +# in the DHCP4_NTP_SERVERS and DHCP6_DHCP6_NTP_SERVERS environment variables. + +export LC_ALL=C + +interface=$1 +action=$2 + +chronyc=/usr/bin/chronyc +server_options=iburst +server_dir=/var/run/chrony-dhcp + +dhcp_server_file=$server_dir/$interface.sources +dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS" + +add_servers_from_dhcp() { + rm -f "$dhcp_server_file" + for server in $dhcp_ntp_servers; do + # Check for invalid characters (from the DHCPv6 NTP FQDN suboption) + len1=$(printf '%s' "$server" | wc -c) + len2=$(printf '%s' "$server" | tr -d -c 'A-Za-z0-9:.-' | wc -c) + if [ "$len1" -ne "$len2" ] || [ "$len2" -lt 1 ] || [ "$len2" -gt 255 ]; then + continue + fi + + printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file" + done + $chronyc reload sources > /dev/null 2>&1 || : +} + +clear_servers_from_dhcp() { + if [ -f "$dhcp_server_file" ]; then + rm -f "$dhcp_server_file" + $chronyc reload sources > /dev/null 2>&1 || : + fi +} + +mkdir -p $server_dir + +case "$action" in + up|dhcp4-change|dhcp6-change) + add_servers_from_dhcp;; + down) + clear_servers_from_dhcp;; +esac + +exit 0 diff --git a/examples/chrony.nm-dispatcher.onoffline b/examples/chrony.nm-dispatcher.onoffline new file mode 100644 index 0000000..18f5c3f --- /dev/null +++ b/examples/chrony.nm-dispatcher.onoffline @@ -0,0 +1,29 @@ +#!/bin/sh +# This is a NetworkManager dispatcher / networkd-dispatcher script for +# chronyd to set its NTP sources online or offline when a network interface +# is configured or removed + +export LC_ALL=C + +chronyc=/usr/bin/chronyc + +# For NetworkManager consider only selected events +if [ $# -ge 2 ]; then + case "$2" in + up|down|connectivity-change) + ;; + dhcp4-change|dhcp6-change) + # Actions "up" and "connectivity-change" in some cases do not + # guarantee that the interface has a route (e.g. a bond). + # dhcp(x)-change handles at least cases that use DHCP. + ;; + *) + exit 0;; + esac +fi + +# Note: for networkd-dispatcher routable.d ~= on and off.d ~= off + +$chronyc onoffline > /dev/null 2>&1 + +exit 0 diff --git a/examples/chronyd-restricted.service b/examples/chronyd-restricted.service new file mode 100644 index 0000000..30ba7d9 --- /dev/null +++ b/examples/chronyd-restricted.service @@ -0,0 +1,58 @@ +# This is a more restricted version of the chronyd service intended for +# minimal NTP/NTS client configurations. The daemon is started without root +# privileges and is allowed to write only to its own runtime, state, and log +# directories. It cannot bind to privileged ports in order to operate as an +# NTP server, or provide monitoring access over IPv4/IPv6. It cannot use +# reference clocks, HW timestamping, RTC tracking, and other features. +[Unit] +Description=NTP client (restricted) +Documentation=man:chronyd(8) man:chrony.conf(5) +After=chronyd.service ntpdate.service sntp.service ntpd.service +Conflicts=chronyd.service ntpd.service systemd-timesyncd.service +ConditionCapability=CAP_SYS_TIME + +[Service] +Type=forking +PIDFile=/run/chrony/chronyd.pid +EnvironmentFile=-/etc/sysconfig/chronyd +ExecStart=/usr/sbin/chronyd -U $OPTIONS + +User=chrony +LogsDirectory=chrony +LogsDirectoryMode=0750 +RuntimeDirectory=chrony +RuntimeDirectoryMode=0750 +RuntimeDirectoryPreserve=restart +StateDirectory=chrony +StateDirectoryMode=0750 + +AmbientCapabilities=CAP_SYS_TIME +CapabilityBoundingSet=CAP_SYS_TIME +DevicePolicy=closed +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=yes +# This breaks adjtimex() +#PrivateUsers=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +RemoveIPC=yes +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io +SystemCallFilter=~@reboot @resources @swap +UMask=0077 + +[Install] +WantedBy=multi-user.target diff --git a/examples/chronyd.service b/examples/chronyd.service new file mode 100644 index 0000000..a42eb92 --- /dev/null +++ b/examples/chronyd.service @@ -0,0 +1,48 @@ +[Unit] +Description=NTP client/server +Documentation=man:chronyd(8) man:chrony.conf(5) +After=ntpdate.service sntp.service ntpd.service +Conflicts=ntpd.service systemd-timesyncd.service +ConditionCapability=CAP_SYS_TIME + +[Service] +Type=forking +PIDFile=/run/chrony/chronyd.pid +EnvironmentFile=-/etc/sysconfig/chronyd +ExecStart=/usr/sbin/chronyd $OPTIONS + +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM +DeviceAllow=char-pps rw +DeviceAllow=char-ptp rw +DeviceAllow=char-rtc rw +DevicePolicy=closed +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateTmp=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +ReadWritePaths=/run /var/lib/chrony -/var/log +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap + +# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive) +NoNewPrivileges=no +ReadWritePaths=-/var/spool +RestrictAddressFamilies=AF_NETLINK + +[Install] +WantedBy=multi-user.target -- cgit v1.2.3