units: add SecureBits

[elogind.git] / units / systemd-timesyncd.service.in

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 17b60d08c4dd3b6396c976b757e8b4257b38c2c0..bc7aa26a9b7279782a36ba147032719b3f7c9f07 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -9,6 +9,7 @@
 Description=Network Time Synchronization
 Documentation=man:systemd-timesyncd.service(8)
 ConditionCapability=CAP_SYS_TIME
+ConditionVirtualization=no
 DefaultDependencies=no
 RequiresMountsFor=/var/lib/systemd/clock
 After=systemd-remount-fs.service systemd-tmpfiles-setup.service systemd-sysusers.service
@@ -22,6 +23,7 @@ Restart=always
 RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-timesyncd
 CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+SecureBits=noroot noroot-locked
 PrivateTmp=yes
 PrivateDevices=yes
 ProtectSystem=full