X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=units%2Fsystemd-timesyncd.service.in;h=6512531e1c5aa3811b5a3c3fb5b79012c19c7302;hb=482882b7b725e44c214ee384c9e984f452124164;hp=a6e14d24d1384c1bb97f29040020eec9903c001d;hpb=dfff69bfc49e06c1acf3560478974260e95b3c51;p=thirdparty%2Fsystemd.git

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index a6e14d24d13..6512531e1c5 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -1,3 +1,5 @@
+#  SPDX-License-Identifier: LGPL-2.1+
+#
 #  This file is part of systemd.
 #
 #  systemd is free software; you can redistribute it and/or modify it
@@ -17,28 +19,35 @@ Conflicts=shutdown.target
 Wants=time-sync.target
 
 [Service]
-Type=notify
-Restart=always
-RestartSec=0
-ExecStart=!!@rootlibexecdir@/systemd-timesyncd
-WatchdogSec=3min
-User=systemd-timesync
-CapabilityBoundingSet=CAP_SYS_TIME
 AmbientCapabilities=CAP_SYS_TIME
-PrivateTmp=yes
+CapabilityBoundingSet=CAP_SYS_TIME
+ExecStart=!!@rootlibexecdir@/systemd-timesyncd
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
-ProtectSystem=strict
-ProtectHome=yes
+PrivateTmp=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+Restart=always
+RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
-SystemCallArchitectures=native
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RuntimeDirectory=systemd/timesync
 StateDirectory=systemd/timesync
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service @clock
+Type=notify
+User=systemd-timesync
+WatchdogSec=3min
 
 [Install]
 WantedBy=sysinit.target
+Alias=dbus-org.freedesktop.timesync1.service