]> git.ipfire.org Git - thirdparty/systemd.git/blobdiff - units/systemd-timesyncd.service.in
projects / thirdparty / systemd.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge pull request #12207 from poettering/portable-bus-policy-fix
[thirdparty/systemd.git] / units / systemd-timesyncd.service.in
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 8b99e92e0172c548ab020175a1cdd8859a3d4e0d..6512531e1c5aa3811b5a3c3fb5b79012c19c7302 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -24,10 +24,12 @@ CapabilityBoundingSet=CAP_SYS_TIME
 ExecStart=!!@rootlibexecdir@/systemd-timesyncd
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict
@@ -36,6 +38,7 @@ RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
+RestrictSUIDSGID=yes
 RuntimeDirectory=systemd/timesync
 StateDirectory=systemd/timesync
 SystemCallArchitectures=native
Unnamed repository; edit this file 'description' to name the repository.