chrony/examples/chronyd.service - chrony - Git at Google

 [Unit]
 Description=NTP client/server
 Documentation=man:chronyd(8) man:chrony.conf(5)
 After=ntpdate.service sntp.service ntpd.service
 Conflicts=ntpd.service systemd-timesyncd.service
 ConditionCapability=CAP_SYS_TIME

 [Service]
 Type=forking
 PIDFile=/run/chrony/chronyd.pid
 EnvironmentFile=-/etc/sysconfig/chronyd
 ExecStart=/usr/sbin/chronyd $OPTIONS

 CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
 CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
 CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
 CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
 CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
 DeviceAllow=char-pps rw
 DeviceAllow=char-ptp rw
 DeviceAllow=char-rtc rw
 DevicePolicy=closed
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateTmp=yes
 ProcSubset=pid
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
 ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectProc=invisible
 ProtectSystem=strict
 ReadWritePaths=/run /var/lib/chrony -/var/log
 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 RestrictNamespaces=yes
 RestrictSUIDSGID=yes
 SystemCallArchitectures=native
 SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap

 # Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
 NoNewPrivileges=no
 ReadWritePaths=-/var/spool
 RestrictAddressFamilies=AF_NETLINK

 [Install]
 WantedBy=multi-user.target
	[Unit]
	Description=NTP client/server
	Documentation=man:chronyd(8) man:chrony.conf(5)
	After=ntpdate.service sntp.service ntpd.service
	Conflicts=ntpd.service systemd-timesyncd.service
	ConditionCapability=CAP_SYS_TIME

	[Service]
	Type=forking
	PIDFile=/run/chrony/chronyd.pid
	EnvironmentFile=-/etc/sysconfig/chronyd
	ExecStart=/usr/sbin/chronyd $OPTIONS

	CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
	CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
	CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
	CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
	CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
	DeviceAllow=char-pps rw
	DeviceAllow=char-ptp rw
	DeviceAllow=char-rtc rw
	DevicePolicy=closed
	LockPersonality=yes
	MemoryDenyWriteExecute=yes
	NoNewPrivileges=yes
	PrivateTmp=yes
	ProcSubset=pid
	ProtectControlGroups=yes
	ProtectHome=yes
	ProtectHostname=yes
	ProtectKernelLogs=yes
	ProtectKernelModules=yes
	ProtectKernelTunables=yes
	ProtectProc=invisible
	ProtectSystem=strict
	ReadWritePaths=/run /var/lib/chrony -/var/log
	RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
	RestrictNamespaces=yes
	RestrictSUIDSGID=yes
	SystemCallArchitectures=native
	SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap

	# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
	NoNewPrivileges=no
	ReadWritePaths=-/var/spool
	RestrictAddressFamilies=AF_NETLINK

	[Install]
	WantedBy=multi-user.target