core: shared: Add ProtectClock= to systemd.exec

author: Kevin Kuehler <kkuehler@brave.com> 2020-01-26 21:23:33 +0100
committer: Kevin Kuehler <kkuehler@brave.com> 2020-01-26 21:23:33 +0100
commit: fc64760dda4d0c53bdd93b9eb7b9c6a92c66ce1c (patch)
tree: 6de3f1edfc889687b974e2677edbc7fa4ded9565 /src/core/unit.c
parent: test: unpin meson from v0.52.1 (diff)
download: systemd-fc64760dda4d0c53bdd93b9eb7b9c6a92c66ce1c.tar.xz
systemd-fc64760dda4d0c53bdd93b9eb7b9c6a92c66ce1c.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/src/core/unit.c b/src/core/unit.c
index c629a1a9ce..8570eaefb4 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4287,6 +4287,9 @@ int unit_patch_contexts(Unit *u) {
                 if (ec->protect_kernel_logs)
                         ec->capability_bounding_set &= ~(UINT64_C(1) << CAP_SYSLOG);
 
+                if (ec->protect_clock)
+                        ec->capability_bounding_set &= ~((UINT64_C(1) << CAP_SYS_TIME) | (UINT64_C(1) << CAP_WAKE_ALARM));
+
                 if (ec->dynamic_user) {
                         if (!ec->user) {
                                 r = user_from_unit_name(u, &ec->user);
@@ -4345,6 +4348,12 @@ int unit_patch_contexts(Unit *u) {
                         if (r < 0)
                                 return r;
                 }
+
+                if (ec->protect_clock) {
+                        r = cgroup_add_device_allow(cc, "char-rtc", "r");
+                        if (r < 0)
+                                return r;
+                }
         }
 
         return 0;
author	Kevin Kuehler <kkuehler@brave.com>	2020-01-26 21:23:33 +0100
committer	Kevin Kuehler <kkuehler@brave.com>	2020-01-26 21:23:33 +0100
commit	fc64760dda4d0c53bdd93b9eb7b9c6a92c66ce1c (patch)
tree	6de3f1edfc889687b974e2677edbc7fa4ded9565 /src/core/unit.c
parent	test: unpin meson from v0.52.1 (diff)
download	systemd-fc64760dda4d0c53bdd93b9eb7b9c6a92c66ce1c.tar.xz systemd-fc64760dda4d0c53bdd93b9eb7b9c6a92c66ce1c.zip