units: add ProtectClock=yes

Add `ProtectClock=yes` to systemd units. Since it implies certain
`DeviceAllow=` rules, make sure that the units have `DeviceAllow=` rules so
they are still able to access other devices. Exclude timesyncd and timedated.

diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index 6181d15d7776f6a61429b342595501c0c5dbcd0c..334f030caa978c838584eb0479cecdbe14c0382c 100644 (file)
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -21,6 +21,7 @@ NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
 PrivateTmp=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes

diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 5144868bcb711912e5b640f27b6eca8bcca3c767..0cb1bfa3ca7296ab0bb1d696d4a774a65330cc7f 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -25,6 +25,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 OOMScoreAdjust=-250
+ProtectClock=yes
 Restart=always
 RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK

diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 23aa828591c434939679b796166237fde60dcf2e..ed573b8f3c7c7d9afab394f5ebddb0de64348a0f 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -36,6 +36,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateTmp=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes

diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 1b69677496d9e44bc5429fe4b087f087dc1bc337..26731468413d7614d4ed1ed64d16367db591dec8 100644 (file)
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -26,6 +26,7 @@ ExecStart=!!@rootlibexecdir@/systemd-networkd
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectKernelModules=yes

diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index f73697832ccec4d3f35a726c2df189329932b40c..5723f1c1e2e6c64078a942814e223778c1d4ef5c 100644 (file)
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -28,6 +28,7 @@ MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateTmp=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectKernelModules=yes

diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 5eee69933bde944c9afc7db3779997891ecb3a06..f3ebaa18a64a68f68ed8406892a4505e30a09b27 100644 (file)
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -16,6 +16,8 @@ Before=sysinit.target
 ConditionPathIsReadWrite=/sys
 
 [Service]
+DeviceAllow=block-* rwm
+DeviceAllow=char-* rwm
 Type=notify
 # Note that udev also adjusts the OOM score internally and will reset the value internally for its workers
 OOMScoreAdjust=-1000
@@ -27,6 +29,7 @@ ExecReload=udevadm control --reload --timeout 0
 KillMode=mixed
 TasksMax=infinity
 PrivateMounts=yes
+ProtectClock=yes
 ProtectHostname=yes
 MemoryDenyWriteExecute=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6