From 7b7eb0a6e550ff4b366b4d0a803ed7d742da8c38 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon, 30 Jan 2017 15:07:48 +0100
Subject: [PATCH] examples: improve systemd unit files

Add the PrivateTmp, ProtectHome, and ProtectSystem directives to better
secure the system from chronyd. It's taken from the Debian chrony
package.
---
 examples/chrony-wait.service | 1 +
 examples/chronyd.service     | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service
index f629ad9..0f5e2e7 100644
--- a/examples/chrony-wait.service
+++ b/examples/chrony-wait.service
@@ -1,5 +1,6 @@
 [Unit]
 Description=Wait for chrony to synchronize system clock
+Documentation=man:chronyc(1)
 After=chronyd.service
 Requires=chronyd.service
 Before=time-sync.target
diff --git a/examples/chronyd.service b/examples/chronyd.service
index 927a478..4ffe3b1 100644
--- a/examples/chronyd.service
+++ b/examples/chronyd.service
@@ -10,6 +10,9 @@ Type=forking
 PIDFile=/var/run/chronyd.pid
 EnvironmentFile=-/etc/sysconfig/chronyd
 ExecStart=/usr/sbin/chronyd $OPTIONS
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=full
 
 [Install]
 WantedBy=multi-user.target