New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/chrony: systemd service hardening #104944
Conversation
The service can successfully work with more systemd sandboxing in place. Changing `ProtectSystem` from `full` to `strict` makes the entire filesystem read-only, with the exception of two directories listed under `ReadWritePaths`. Many other sandbox options added as well, unfortunately I couldn't source them from the project itself as they only provide a very basic systemd service template. The `/var/run/chrony` path is compiled in the `chronyd` binary, as well as in the `chronyc` client.
Are you able to provide a patch to upstream with these changes? It would be nice to have upstream sign off on this unit. You get bonus points if upstream adopts your changes and we can stop providing our own |
Yeah that would be lovely indeed, I will try doing it in a spare moment. Let's park this pr for now then. |
Any progress on this? |
I marked this as stale due to inactivity. → More info |
Can we please unpark and rebase this? I'd be happy to review and test. |
I marked this as stale due to inactivity. → More info |
Upstream has a systemd service file in git now: https://git.tuxfamily.org/chrony/chrony.git/tree/examples/chronyd.service |
@snicket2100 implemented in this PR - #208751 |
This PR does not introduce the issues I described here. |
The service can successfully work with more systemd sandboxing
in place. Changing
ProtectSystem
fromfull
tostrict
makesthe entire filesystem read-only, with the exception of two
directories listed under
ReadWritePaths
. Many other sandboxoptions added as well, unfortunately I couldn't source them
from the project itself as they only provide a very basic
systemd service template.
The
/var/run/chrony
path is compiled in thechronyd
binary,as well as in the
chronyc
client. This is why I am not referencing it for anything else other thanReadWritePaths
.I've been running this config for a while and it seems stable.
Motivation for this change
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)