diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2015-02-11 17:32:14 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2015-02-11 17:33:36 +0100 |
commit | 6a716208b346b742053cfd01e76f76fb27c4ea47 (patch) | |
tree | 15ea908b54df5b082e80a5f1835210d9e3b13a1d /units/systemd-timesyncd.service.in | |
parent | man: fix typo (diff) | |
download | systemd-6a716208b346b742053cfd01e76f76fb27c4ea47.tar.xz systemd-6a716208b346b742053cfd01e76f76fb27c4ea47.zip |
units: add SecureBits
No setuid programs are expected to be executed, so add
SecureBits=noroot noroot-locked
to unit files.
Diffstat (limited to 'units/systemd-timesyncd.service.in')
-rw-r--r-- | units/systemd-timesyncd.service.in | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 39edafc8d2..bc7aa26a9b 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -23,6 +23,7 @@ Restart=always RestartSec=0 ExecStart=@rootlibexecdir@/systemd-timesyncd CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER +SecureBits=noroot noroot-locked PrivateTmp=yes PrivateDevices=yes ProtectSystem=full |