pool/chrony
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 915264 from home:jsegitz:branches:systemdhardening:network:time

Browse Source 
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/915264
OBS-URL: https://build.opensuse.org/package/show/network:time/chrony?expand=0&rev=104
This commit is contained in:
Reinhard Max 2021-09-04 15:06:47 +00:00 committed by Git OBS Bridge
parent f1e86c08f1
commit a94c383238
4 changed files with 55 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
chrony.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Aug 30 13:50:07 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s). Added patch(es):
* harden_chrony-wait.service.patch
* harden_chronyd.service.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jul 1 12:38:13 UTC 2021 - Reinhard Max <max@suse.com> Thu Jul 1 12:38:13 UTC 2021 - Reinhard Max <max@suse.com>

4
chrony.spec
View File

@ -55,6 +55,8 @@ Patch1: chrony-service-helper.patch
Patch2: chrony-logrotate.patch Patch2: chrony-logrotate.patch
Patch3: chrony-service-ordering.patch Patch3: chrony-service-ordering.patch
Patch4: chrony-refid-internal-md5.patch Patch4: chrony-refid-internal-md5.patch
Patch5: harden_chrony-wait.service.patch
Patch6: harden_chronyd.service.patch
BuildRequires: NetworkManager-devel BuildRequires: NetworkManager-devel
BuildRequires: bison BuildRequires: bison
BuildRequires: gcc-c++ BuildRequires: gcc-c++
@ -155,6 +157,8 @@ sed -e 's-@CHRONY_HELPER@-%{chrony_helper}-g' -i %{PATCH1} %{SOURCE3} %{SOURCE5}
%patch2 -p1 %patch2 -p1
%patch3 %patch3
%patch4 %patch4
%patch5 -p1
%patch6 -p1
# Remove pool statements from the default /etc/chrony.conf. They will # Remove pool statements from the default /etc/chrony.conf. They will
# be provided by branding packages in /etc/chrony.d/pool.conf . # be provided by branding packages in /etc/chrony.d/pool.conf .

24
harden_chrony-wait.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: chrony-4.1/examples/chrony-wait.service
===================================================================
--- chrony-4.1.orig/examples/chrony-wait.service
+++ chrony-4.1/examples/chrony-wait.service
@@ -7,6 +7,19 @@ Before=time-sync.target
Wants=time-sync.target
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=oneshot
# Wait for chronyd to update the clock and the remaining
# correction to be less than 0.1 seconds

20
harden_chronyd.service.patch Normal file
View File

@ -0,0 +1,20 @@
Index: chrony-4.1/examples/chronyd.service
===================================================================
--- chrony-4.1.orig/examples/chronyd.service
+++ chrony-4.1/examples/chronyd.service
@@ -17,6 +17,15 @@ ExecStart=/usr/sbin/chronyd $OPTIONS
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+PrivateDevices=true
+ProtectHostname=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+DeviceAllow=char-rtc
+# end of automatic additions
[Install]
WantedBy=multi-user.target