units: add ProtectClock=yes

Add `ProtectClock=yes` to systemd units. Since it implies certain `DeviceAllow=` rules, make sure that the units have `DeviceAllow=` rules so they are still able to access other devices. Exclude timesyncd and timedated.
author: Topi Miettinen <toiwoton@gmail.com> 2020-04-02 21:18:11 +0300
committer: Lennart Poettering <lennart@poettering.net> 2020-04-07 15:37:14 +0200
commit: cabc1c6d7adae658a2966a4b02a6faabb803e92b (patch)
tree: 97d713454ae4cffbf17b841480df3008bf3f2752 /units/systemd-journald.service.in
parent: c3362c2f97115d7eecac556cf70034992c46221d (diff)
download: systemd-cabc1c6d7adae658a2966a4b02a6faabb803e92b.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 5144868bcb..0cb1bfa3ca 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -25,6 +25,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 OOMScoreAdjust=-250
+ProtectClock=yes
 Restart=always
 RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
author	Topi Miettinen <toiwoton@gmail.com>	2020-04-02 21:18:11 +0300
committer	Lennart Poettering <lennart@poettering.net>	2020-04-07 15:37:14 +0200
commit	cabc1c6d7adae658a2966a4b02a6faabb803e92b (patch)
tree	97d713454ae4cffbf17b841480df3008bf3f2752 /units/systemd-journald.service.in
parent	c3362c2f97115d7eecac556cf70034992c46221d (diff)
download	systemd-cabc1c6d7adae658a2966a4b02a6faabb803e92b.tar.gz