chiark / gitweb /
~ianmdlvl / elogind.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
units: add SecureBits
[elogind.git] / units / systemd-timesyncd.service.in
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 3a1bc48a91e91de6ba2eb8ded0dfe2fe55ccd2d0..bc7aa26a9b7279782a36ba147032719b3f7c9f07 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -9,13 +9,13 @@
 Description=Network Time Synchronization
 Documentation=man:systemd-timesyncd.service(8)
 ConditionCapability=CAP_SYS_TIME
-DefaultDependencies=off
+ConditionVirtualization=no
+DefaultDependencies=no
 RequiresMountsFor=/var/lib/systemd/clock
-After=systemd-remount-fs.service systemd-tmpfiles-setup.service
-Before=sysinit.target shutdown.target
+After=systemd-remount-fs.service systemd-tmpfiles-setup.service systemd-sysusers.service
+Before=time-sync.target sysinit.target shutdown.target
 Conflicts=shutdown.target
 Wants=time-sync.target
-Before=time-sync.target
 
 [Service]
 Type=notify
@@ -23,6 +23,7 @@ Restart=always
 RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-timesyncd
 CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+SecureBits=noroot noroot-locked
 PrivateTmp=yes
 PrivateDevices=yes
 ProtectSystem=full
Unnamed repository; edit this file 'description' to name the repository.