X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=units%2Fsystemd-timesyncd.service.in;h=030e4a0423d16b4b2f1f18704493d31576e9852d;hp=ec2871455e88fddf5672e0e1efe9cf4d76fcc246;hb=6a010ac9e5aa585637b4b79df92f8ca5537faf71;hpb=ece6e766cf89c8ec82ad135969dedf16cd7c1ee8

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index ec2871455..030e4a042 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -11,7 +11,7 @@ Documentation=man:systemd-timesyncd.service(8)
 ConditionCapability=CAP_SYS_TIME
 DefaultDependencies=off
 RequiresMountsFor=/var/lib/systemd/clock
-After=systemd-remount-fs.service
+After=systemd-remount-fs.service systemd-tmpfiles-setup.service
 Before=sysinit.target shutdown.target
 Conflicts=shutdown.target
 
@@ -20,9 +20,11 @@ Type=notify
 Restart=always
 RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-timesyncd
-CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE
+CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
 PrivateTmp=yes
 PrivateDevices=yes
+ReadOnlySystem=yes
+ProtectedHome=yes
 WatchdogSec=1min
 
 [Install]