This is an automated email from git. It was generated because a ref change was pushed to the "chrony/chrony.git" repository.
The branch, master has been updated via 83f96efdfd2d42a8de51ac3b05120acf5292bb00 (commit) from 127826a399826b048c3b13d04771129b6f4f373d (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 83f96efdfd2d42a8de51ac3b05120acf5292bb00 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Wed Sep 29 15:25:48 2021 +0200 examples: harden systemd services Add various settings to the example chronyd and chrony-wait services to decrease the exposure reported by the "systemd-analyze security" command. The original exposure was high as the analyzer does not check the actual process (e.g. that it dropped the root privileges or that it has its own seccomp filter). Limit read-write access to /run, /var/lib/chrony, and /var/spool. Access to /run (instead of /run/chrony) is needed for the refclock socket expected by gpsd. The mailonchange directive is most likely to break as it executes /usr/sbin/sendmail, which can do unexpected operations depending on the implementation. It should work with a setuid/setgid binary, but it is not expected to write outside of /var/spool and the private /tmp. ----------------------------------------------------------------------- Summary of changes: examples/chrony-wait.service | 27 +++++++++++++++++++++++++++ examples/chronyd.service | 33 ++++++++++++++++++++++++++++++++- 2 files changed, 59 insertions(+), 1 deletion(-) hooks/post-receive -- chrony/chrony.git -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.