mirror of
https://github.com/systemd/systemd.git
synced 2024-11-01 09:21:26 +03:00
abf4e5c1d3
We have a chicken and egg problem: validation of DNSSEC signatures doesn't work without a correct clock, but to set the correct clock we need to contact NTP servers which requires resolving a hostname, which would normally require DNSSEC validation. Let's break the cycle by excluding NTP hostname resolution from validation for now. Of course, this leaves NTP traffic unprotected. To cover that we need NTPSEC support, which we can add later. Fixes: #5873 #15607
61 lines
1.7 KiB
SYSTEMD
61 lines
1.7 KiB
SYSTEMD
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
#
|
|
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=Network Time Synchronization
|
|
Documentation=man:systemd-timesyncd.service(8)
|
|
ConditionCapability=CAP_SYS_TIME
|
|
ConditionVirtualization=!container
|
|
DefaultDependencies=no
|
|
After=systemd-sysusers.service
|
|
Before=time-set.target sysinit.target shutdown.target
|
|
Conflicts=shutdown.target
|
|
Wants=time-set.target
|
|
|
|
[Service]
|
|
AmbientCapabilities=CAP_SYS_TIME
|
|
BusName=org.freedesktop.timesync1
|
|
CapabilityBoundingSet=CAP_SYS_TIME
|
|
# Turn off DNSSEC validation for hostname look-ups, since those need the
|
|
# correct time to work, but we likely won't acquire that without NTP. Let's
|
|
# break this chicken-and-egg cycle here.
|
|
Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0
|
|
ExecStart=!!@rootlibexecdir@/systemd-timesyncd
|
|
LockPersonality=yes
|
|
MemoryDenyWriteExecute=yes
|
|
NoNewPrivileges=yes
|
|
PrivateDevices=yes
|
|
PrivateTmp=yes
|
|
ProtectProc=invisible
|
|
ProtectControlGroups=yes
|
|
ProtectHome=yes
|
|
ProtectHostname=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectSystem=strict
|
|
Restart=always
|
|
RestartSec=0
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
RestrictNamespaces=yes
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
RuntimeDirectory=systemd/timesync
|
|
StateDirectory=systemd/timesync
|
|
SystemCallArchitectures=native
|
|
SystemCallErrorNumber=EPERM
|
|
SystemCallFilter=@system-service @clock
|
|
Type=notify
|
|
User=systemd-timesync
|
|
@SERVICE_WATCHDOG@
|
|
|
|
[Install]
|
|
WantedBy=sysinit.target
|
|
Alias=dbus-org.freedesktop.timesync1.service
|