mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-22 13:33:56 +03:00
9af2820694
While the need for access to character devices can be tricky to determine for the general case, it's obvious that most of our services have no need to access block devices. For logind and timedated this can be tightened further.
40 lines
1.1 KiB
SYSTEMD
40 lines
1.1 KiB
SYSTEMD
# SPDX-License-Identifier: LGPL-2.1+
|
|
#
|
|
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=Time & Date Service
|
|
Documentation=man:systemd-timedated.service(8) man:localtime(5)
|
|
Documentation=https://www.freedesktop.org/wiki/Software/systemd/timedated
|
|
|
|
[Service]
|
|
BusName=org.freedesktop.timedate1
|
|
CapabilityBoundingSet=CAP_SYS_TIME
|
|
DeviceAllow=char-rtc r
|
|
ExecStart=@rootlibexecdir@/systemd-timedated
|
|
IPAddressDeny=any
|
|
LockPersonality=yes
|
|
MemoryDenyWriteExecute=yes
|
|
NoNewPrivileges=yes
|
|
PrivateTmp=yes
|
|
ProtectControlGroups=yes
|
|
ProtectHome=yes
|
|
ProtectHostname=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectSystem=strict
|
|
ReadWritePaths=/etc
|
|
RestrictAddressFamilies=AF_UNIX
|
|
RestrictNamespaces=yes
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
SystemCallArchitectures=native
|
|
SystemCallErrorNumber=EPERM
|
|
SystemCallFilter=@system-service @clock
|
|
WatchdogSec=3min
|