From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon, 30 Jan 2017 14:07:48 +0000 (+0100)
Subject: examples: improve systemd unit files
X-Git-Tag: 3.1~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b7eb0a6e550ff4b366b4d0a803ed7d742da8c38;p=thirdparty%2Fchrony.git

examples: improve systemd unit files

Add the PrivateTmp, ProtectHome, and ProtectSystem directives to better
secure the system from chronyd. It's taken from the Debian chrony
package.
---

diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service
index f629ad9b..0f5e2e76 100644
--- a/examples/chrony-wait.service
+++ b/examples/chrony-wait.service
@@ -1,5 +1,6 @@
 [Unit]
 Description=Wait for chrony to synchronize system clock
+Documentation=man:chronyc(1)
 After=chronyd.service
 Requires=chronyd.service
 Before=time-sync.target
diff --git a/examples/chronyd.service b/examples/chronyd.service
index 927a478f..4ffe3b19 100644
--- a/examples/chronyd.service
+++ b/examples/chronyd.service
@@ -10,6 +10,9 @@ Type=forking
 PIDFile=/var/run/chronyd.pid
 EnvironmentFile=-/etc/sysconfig/chronyd
 ExecStart=/usr/sbin/chronyd $OPTIONS
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=full
 
 [Install]
 WantedBy=multi-user.target