units: add ProtectClock=yes

Add `ProtectClock=yes` to systemd units. Since it implies certain `DeviceAllow=` rules, make sure that the units have `DeviceAllow=` rules so they are still able to access other devices. Exclude timesyncd and timedated.
author: Topi Miettinen <toiwoton@gmail.com> 2020-04-02 20:18:11 +0200
committer: Lennart Poettering <lennart@poettering.net> 2020-04-07 15:37:14 +0200
commit: cabc1c6d7adae658a2966a4b02a6faabb803e92b (patch)
tree: 97d713454ae4cffbf17b841480df3008bf3f2752 /units/systemd-udevd.service.in
parent: Remove message->priority field (diff)
download: systemd-cabc1c6d7adae658a2966a4b02a6faabb803e92b.tar.xz
systemd-cabc1c6d7adae658a2966a4b02a6faabb803e92b.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 5eee69933b..f3ebaa18a6 100644
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -16,6 +16,8 @@ Before=sysinit.target
 ConditionPathIsReadWrite=/sys
 
 [Service]
+DeviceAllow=block-* rwm
+DeviceAllow=char-* rwm
 Type=notify
 # Note that udev also adjusts the OOM score internally and will reset the value internally for its workers
 OOMScoreAdjust=-1000
@@ -27,6 +29,7 @@ ExecReload=udevadm control --reload --timeout 0
 KillMode=mixed
 TasksMax=infinity
 PrivateMounts=yes
+ProtectClock=yes
 ProtectHostname=yes
 MemoryDenyWriteExecute=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
author	Topi Miettinen <toiwoton@gmail.com>	2020-04-02 20:18:11 +0200
committer	Lennart Poettering <lennart@poettering.net>	2020-04-07 15:37:14 +0200
commit	cabc1c6d7adae658a2966a4b02a6faabb803e92b (patch)
tree	97d713454ae4cffbf17b841480df3008bf3f2752 /units/systemd-udevd.service.in
parent	Remove message->priority field (diff)
download	systemd-cabc1c6d7adae658a2966a4b02a6faabb803e92b.tar.xz systemd-cabc1c6d7adae658a2966a4b02a6faabb803e92b.zip