summaryrefslogtreecommitdiffstats
path: root/units/systemd-timesyncd.service.in
diff options
context:
space:
mode:
authorTopi Miettinen <toiwoton@gmail.com>2015-02-11 17:32:14 +0100
committerLennart Poettering <lennart@poettering.net>2015-02-11 17:33:36 +0100
commit6a716208b346b742053cfd01e76f76fb27c4ea47 (patch)
tree15ea908b54df5b082e80a5f1835210d9e3b13a1d /units/systemd-timesyncd.service.in
parentman: fix typo (diff)
downloadsystemd-6a716208b346b742053cfd01e76f76fb27c4ea47.tar.xz
systemd-6a716208b346b742053cfd01e76f76fb27c4ea47.zip
units: add SecureBits
No setuid programs are expected to be executed, so add SecureBits=noroot noroot-locked to unit files.
Diffstat (limited to 'units/systemd-timesyncd.service.in')
-rw-r--r--units/systemd-timesyncd.service.in1
1 files changed, 1 insertions, 0 deletions
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 39edafc8d2..bc7aa26a9b 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -23,6 +23,7 @@ Restart=always
RestartSec=0
ExecStart=@rootlibexecdir@/systemd-timesyncd
CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+SecureBits=noroot noroot-locked
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=full