]> git.ipfire.org Git - thirdparty/systemd.git/blobdiff - units/systemd-timedated.service.in
projects / thirdparty / systemd.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
test: Disable LUKS devices from initramfs in QEMU tests
[thirdparty/systemd.git] / units / systemd-timedated.service.in
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 6d5302419579bf5c4e52adf2ffb4c1f2be3898fe..819cb4dba290bedd67906063d9c708b5f4b2917d 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -15,6 +15,7 @@ Documentation=https://www.freedesktop.org/wiki/Software/systemd/timedated
 [Service]
 BusName=org.freedesktop.timedate1
 CapabilityBoundingSet=CAP_SYS_TIME
+DeviceAllow=char-rtc r
 ExecStart=@rootlibexecdir@/systemd-timedated
 IPAddressDeny=any
 LockPersonality=yes
@@ -23,6 +24,7 @@ NoNewPrivileges=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict
@@ -30,7 +32,8 @@ ReadWritePaths=/etc
 RestrictAddressFamilies=AF_UNIX
 RestrictNamespaces=yes
 RestrictRealtime=yes
+RestrictSUIDSGID=yes
 SystemCallArchitectures=native
 SystemCallErrorNumber=EPERM
 SystemCallFilter=@system-service @clock
-WatchdogSec=3min
+@SERVICE_WATCHDOG@
Unnamed repository; edit this file 'description' to name the repository.