There's no need for CAP_CHOWN, CAP_DAC_OVERRIDE or CAP_FOWNER. No new privileges are needed, especially no setuid fixups are expected.
Device policy can be closed, timesyncd does not access any devices. Timesyncd only needs write access to /var/lib/systemd/clock. There's no need to access /boot nor most API filesystems. Install a system call filter, generated with 'strace -c'. Only one additional process is needed. Mounts should not propagate back, so set the MountFlags to slave (actually default since we use e.g. PrivateTmp). --- units/systemd-timesyncd.service.in | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 39edafc..ef09f05 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -22,12 +22,21 @@ Type=notify Restart=always RestartSec=0 ExecStart=@rootlibexecdir@/systemd-timesyncd -CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER +CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP +NoNewPrivileges=true +SecureBits=no-setuid-fixup no-setuid-fixup-locked PrivateTmp=yes PrivateDevices=yes +DevicePolicy=closed ProtectSystem=full ProtectHome=yes +InaccessibleDirectories=/dev/pts /dev/shm /dev/mqueue /dev/hugepages /boot /sys +ReadOnlyDirectories=/ +ReadWriteDirectories=/var/lib/systemd/clock WatchdogSec=1min +SystemCallFilter=recvfrom clock_gettime prctl read open close stat fstat poll lseek mmap mprotect munmap brk rt_sigaction rt_sigprocmask ioctl access madvise socket connect sendto sendmsg recvmsg bind getsockname socketpair setsockopt getsockopt clone fcntl umask getrlimit setgroups setresuid setresgid capget capset arch_prctl gettid futex set_tid_address epoll_wait epoll_ctl inotify_add_watch set_robust_list utimensat timerfd_create timerfd_settime signalfd4 epoll_create1 inotify_init1 clock_adjtime sendmmsg +LimitNPROC=2 +MountFlags=slave [Install] WantedBy=sysinit.target -- 2.1.4 _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel