chrony/harden_chronyd.service.patch

--- examples/chronyd.service.orig
+++ examples/chronyd.service
@@ -18,6 +18,15 @@ ExecStartPost=@CHRONY_HELPER@ update-dae
 PrivateTmp=yes
 ProtectHome=yes
 ProtectSystem=full
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectHostname=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+DeviceAllow=char-rtc
+DeviceAllow=char-ptp
+# end of automatic additions 
 
 [Install]
 WantedBy=multi-user.target
- boo#1190926: PrivateDevices is too strict, we might need to access the rtc and ptp devices. - Add back support to build chrony on SLE12. - Drop dependency on asciidoctor. It is only needed for building the HTML documentation which we don't package anyway. OBS-URL: https://build.opensuse.org/package/show/network:time/chrony?expand=0&rev=105 2021-10-08 16:29:48 +00:00			`--- examples/chronyd.service.orig`
			`+++ examples/chronyd.service`
			`@@ -18,6 +18,15 @@ ExecStartPost=@CHRONY_HELPER@ update-dae`
Accepting request 915264 from home:jsegitz:branches:systemdhardening:network:time Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/915264 OBS-URL: https://build.opensuse.org/package/show/network:time/chrony?expand=0&rev=104 2021-09-04 15:06:47 +00:00			`PrivateTmp=yes`
			`ProtectHome=yes`
			`ProtectSystem=full`
			`+# added automatically, for details please see`
			`+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort`
			`+ProtectHostname=true`
			`+ProtectKernelModules=true`
			`+ProtectKernelLogs=true`
			`+ProtectControlGroups=true`
			`+DeviceAllow=char-rtc`
- boo#1190926: PrivateDevices is too strict, we might need to access the rtc and ptp devices. - Add back support to build chrony on SLE12. - Drop dependency on asciidoctor. It is only needed for building the HTML documentation which we don't package anyway. OBS-URL: https://build.opensuse.org/package/show/network:time/chrony?expand=0&rev=105 2021-10-08 16:29:48 +00:00			`+DeviceAllow=char-ptp`
Accepting request 915264 from home:jsegitz:branches:systemdhardening:network:time Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/915264 OBS-URL: https://build.opensuse.org/package/show/network:time/chrony?expand=0&rev=104 2021-09-04 15:06:47 +00:00			`+# end of automatic additions`

			`[Install]`
			`WantedBy=multi-user.target`