Merge pull request #15564 from poettering/tmpfiles-no-proc

[thirdparty/systemd.git] / units / systemd-timesyncd.service.in

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 5313a90c30b62390b04f4a5c6bdf5eb53ffbe571..92ee94582cd6196ffc53f6cdd3364dd9c824222e 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -13,10 +13,10 @@ Documentation=man:systemd-timesyncd.service(8)
 ConditionCapability=CAP_SYS_TIME
 ConditionVirtualization=!container
 DefaultDependencies=no
-After=systemd-remount-fs.service systemd-sysusers.service
-Before=time-sync.target sysinit.target shutdown.target
+After=systemd-sysusers.service
+Before=time-set.target sysinit.target shutdown.target
 Conflicts=shutdown.target
-Wants=time-sync.target
+Wants=time-set.target time-sync.target
 
 [Service]
 AmbientCapabilities=CAP_SYS_TIME
@@ -32,12 +32,14 @@ ProtectHome=yes
 ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
+ProtectKernelLogs=yes
 ProtectSystem=strict
 Restart=always
 RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
+RestrictSUIDSGID=yes
 RuntimeDirectory=systemd/timesync
 StateDirectory=systemd/timesync
 SystemCallArchitectures=native
@@ -45,7 +47,7 @@ SystemCallErrorNumber=EPERM
 SystemCallFilter=@system-service @clock
 Type=notify
 User=systemd-timesync
-WatchdogSec=3min
+@SERVICE_WATCHDOG@
 
 [Install]
 WantedBy=sysinit.target