From c45e77cffdd44df463c1b11da4e35caa6ea31f76 Mon Sep 17 00:00:00 2001
From: Rahul Sundaram <sundaram@fedoraproject.org>
Date: Mon, 11 Mar 2024 21:06:56 -0400
Subject: [PATCH] Update Systemd security settings

---
 contrib/cronie.systemd | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/contrib/cronie.systemd b/contrib/cronie.systemd
index c8cd6f3..887c157 100644
--- a/contrib/cronie.systemd
+++ b/contrib/cronie.systemd
@@ -9,6 +9,24 @@ ExecReload=/bin/kill -URG $MAINPID
 KillMode=process
 Restart=on-failure
 RestartSec=30s
+KeyringMode=private
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=no
+PrivateDevices=no
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=no
+ProtectHostname=yes
+ProtectKernelLogs=no
+ProtectKernelModules=yes
+ProtectKernelTunables=no
+ProtectProc=invisible
+ProtectSystem=no
+RestrictNamespaces=no
+RestrictRealtime=yes
+RestrictSUIDSGID=no
 
 [Install]
 WantedBy=multi-user.target