83f96efdfd
Add various settings to the example chronyd and chrony-wait services to decrease the exposure reported by the "systemd-analyze security" command. The original exposure was high as the analyzer does not check the actual process (e.g. that it dropped the root privileges or that it has its own seccomp filter). Limit read-write access to /run, /var/lib/chrony, and /var/spool. Access to /run (instead of /run/chrony) is needed for the refclock socket expected by gpsd. The mailonchange directive is most likely to break as it executes /usr/sbin/sendmail, which can do unexpected operations depending on the implementation. It should work with a setuid/setgid binary, but it is not expected to write outside of /var/spool and the private /tmp. |
||
|---|---|---|
| .. | ||
| chrony-wait.service | ||
| chrony.conf.example1 | ||
| chrony.conf.example2 | ||
| chrony.conf.example3 | ||
| chrony.keys.example | ||
| chrony.logrotate | ||
| chrony.nm-dispatcher.dhcp | ||
| chrony.nm-dispatcher.onoffline | ||
| chronyd.service | ||