From e40fb1bd4e8540719962a6db4e00e9a0a0b6b7fe Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Thu, 19 Dec 2024 11:35:31 -0500
Subject: [PATCH] add chronyd.service hardening based on not using sendmail

This reverts the extra directives included in the standard
chronyd.service for supporting sendmail.
---
 systemd/system/chronyd.service.d/override.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/systemd/system/chronyd.service.d/override.conf b/systemd/system/chronyd.service.d/override.conf
index df7dad1..f3cfc78 100644
--- a/systemd/system/chronyd.service.d/override.conf
+++ b/systemd/system/chronyd.service.d/override.conf
@@ -1,5 +1,9 @@
 [Service]
+NoNewPrivileges=yes
+ReadWritePaths=
+ReadWritePaths=/run /var/lib/chrony -/var/log
 Restart=always
 RestartMaxDelaySec=10s
 RestartSec=100ms
 RestartSteps=5
+RestrictAddressFamilies=~AF_NETLINK