diff options
Diffstat (limited to '')
-rw-r--r-- | debian/chrony.service | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/debian/chrony.service b/debian/chrony.service new file mode 100644 index 0000000..50d08fa --- /dev/null +++ b/debian/chrony.service @@ -0,0 +1,65 @@ +[Unit] +Description=chrony, an NTP client/server +Documentation=man:chronyd(8) man:chronyc(1) man:chrony.conf(5) +Conflicts=openntpd.service ntp.service ntpsec.service +Wants=time-sync.target +Before=time-sync.target +After=network.target +ConditionCapability=CAP_SYS_TIME + +[Service] +Type=forking +PIDFile=/run/chrony/chronyd.pid +EnvironmentFile=-/etc/default/chrony +User=_chrony +# Daemon is started as root, but still sandboxed +ExecStart=!/usr/sbin/chronyd $DAEMON_OPTS + +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM +DeviceAllow=char-pps rw +DeviceAllow=char-ptp rw +DeviceAllow=char-rtc rw +DevicePolicy=closed +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateTmp=yes +ProcSubset=pid +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +# Used for gps refclocks +ReadWritePaths=/run +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap + +ConfigurationDirectory=chrony +RuntimeDirectory=chrony +RuntimeDirectoryMode=0700 +# See dumpdir in chrony.conf(5) +RuntimeDirectoryPreserve=restart +StateDirectory=chrony +StateDirectoryMode=0750 +LogsDirectory=chrony +LogsDirectoryMode=0750 + +# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive) +NoNewPrivileges=no +ReadWritePaths=-/var/spool +RestrictAddressFamilies=AF_NETLINK + +[Install] +Alias=chronyd.service +WantedBy=multi-user.target |