diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
index ea3be31a2060..4fb5749e71c8 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
@@ -339,6 +339,13 @@
And backup your data.
+
+
+ services.chronyd is now started with
+ additional systemd sandbox/hardening options for better
+ security.
+
+
The module services.headscale was
diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md
index df0ec622e56e..b5c9c4ceb55d 100644
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@@ -94,6 +94,8 @@ In addition to numerous new and upgraded packages, this release has the followin
And backup your data.
+- `services.chronyd` is now started with additional systemd sandbox/hardening options for better security.
+
- The module `services.headscale` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed:
- Most settings has been migrated under [services.headscale.settings](#opt-services.headscale.settings) which is an attribute-set that
diff --git a/nixos/modules/services/networking/ntp/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix
index 7e3bb565d10b..dc180d4a4f95 100644
--- a/nixos/modules/services/networking/ntp/chrony.nix
+++ b/nixos/modules/services/networking/ntp/chrony.nix
@@ -147,9 +147,9 @@ in
systemd.services.systemd-timedated.environment = { SYSTEMD_TIMEDATED_NTP_SERVICES = "chronyd.service"; };
systemd.tmpfiles.rules = [
- "d ${stateDir} 0755 chrony chrony - -"
- "f ${driftFile} 0640 chrony chrony -"
- "f ${keyFile} 0640 chrony chrony -"
+ "d ${stateDir} 0750 chrony chrony - -"
+ "f ${driftFile} 0640 chrony chrony - -"
+ "f ${keyFile} 0640 chrony chrony - -"
];
systemd.services.chronyd =
@@ -164,15 +164,47 @@ in
path = [ chronyPkg ];
unitConfig.ConditionCapability = "CAP_SYS_TIME";
- serviceConfig =
- { Type = "simple";
- ExecStart = "${chronyPkg}/bin/chronyd ${builtins.toString chronyFlags}";
-
- ProtectHome = "yes";
- ProtectSystem = "full";
- PrivateTmp = "yes";
- };
+ serviceConfig = {
+ Type = "simple";
+ ExecStart = "${chronyPkg}/bin/chronyd ${builtins.toString chronyFlags}";
+ # Proc filesystem
+ ProcSubset = "pid";
+ ProtectProc = "invisible";
+ # Access write directories
+ ReadWritePaths = [ "${stateDir}" ];
+ UMask = "0027";
+ # Capabilities
+ CapabilityBoundingSet = [ "CAP_CHOWN" "CAP_DAC_OVERRIDE" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" "CAP_SYS_RESOURCE" "CAP_SYS_TIME" ];
+ # Device Access
+ DeviceAllow = [ "char-pps rw" "char-ptp rw" "char-rtc rw" ];
+ DevicePolicy = "closed";
+ # Security
+ NoNewPrivileges = true;
+ # Sandboxing
+ ProtectSystem = "full";
+ ProtectHome = true;
+ PrivateTmp = true;
+ PrivateDevices = true;
+ PrivateUsers = false;
+ ProtectHostname = true;
+ ProtectClock = false;
+ ProtectKernelTunables = true;
+ ProtectKernelModules = true;
+ ProtectKernelLogs = true;
+ ProtectControlGroups = true;
+ RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+ RestrictNamespaces = true;
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ RestrictRealtime = true;
+ RestrictSUIDSGID = true;
+ RemoveIPC = true;
+ PrivateMounts = true;
+ # System Call Filtering
+ SystemCallArchitectures = "native";
+ SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @resources" "@clock" "@setuid" "capset" "chown" ];
+ };
};
};
}