2 ################################################
3 ### Managed by someone's ansible provisioner ###
4 ################################################
5 # Part of: https://git.somenet.org/root/pub/somesible.git
6 # 2017-2025 by someone <someone@somenet.org>
10 Description=chrony, an NTP client/server
11 Documentation=man:chronyd(8) man:chronyc(1) man:chrony.conf(5)
12 Conflicts=openntpd.service ntp.service ntpsec.service
13 ConditionCapability=CAP_SYS_TIME
17 PIDFile=/run/chrony/chronyd.pid
18 EnvironmentFile=-/etc/default/chrony
20 # Daemon is started as root, but still sandboxed
21 ExecStart=!/usr/sbin/chronyd $DAEMON_OPTS
23 CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
24 CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
25 CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
26 CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
27 CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
28 DeviceAllow=char-pps rw
29 DeviceAllow=char-ptp rw
30 DeviceAllow=char-rtc rw
33 MemoryDenyWriteExecute=yes
37 ProtectControlGroups=yes
41 ProtectKernelModules=yes
42 ProtectKernelTunables=yes
45 # Used for gps refclocks
47 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
48 RestrictNamespaces=yes
50 SystemCallArchitectures=native
51 SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
53 ConfigurationDirectory=chrony
54 RuntimeDirectory=chrony
55 RuntimeDirectoryMode=0700
56 # See dumpdir in chrony.conf(5)
57 RuntimeDirectoryPreserve=restart
59 StateDirectoryMode=0750
61 LogsDirectoryMode=0750
63 # Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
65 ReadWritePaths=-/var/spool
66 RestrictAddressFamilies=AF_NETLINK
74 WantedBy=multi-user.target
SomeNet / public repos / root / pub / somesible.git / blob