diff --git a/TODO b/TODO
index 2a6dbe9739..f6be4ec545 100644
--- a/TODO
+++ b/TODO
@@ -1996,8 +1996,7 @@ Features:
   - kill scsi_id
   - add trigger --subsystem-match=usb/usb_device device
   - reimport udev db after MOVE events for devices without dev_t
-  - re-enable ProtectClock= or set CapabilityBoundingSet= to drop CAP_SYS_TIME
-    and CAP_WAKE_ALARM (and possibly other unnecessary capabilities?).
+  - re-enable ProtectClock= once only cgroupsv2 is supported.
     See f562abe2963bad241d34e0b308e48cf114672c84.
 
 * coredump:
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 3579de4a68..e9dbe85ef4 100644
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -16,6 +16,7 @@ Before=sysinit.target
 ConditionPathIsReadWrite=/sys
 
 [Service]
+CapabilityBoundingSet=~CAP_SYS_TIME CAP_WAKE_ALARM
 Delegate=pids
 Type=notify
 # Note that udev will reset the value internally for its workers
@@ -34,6 +35,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
 SystemCallFilter=@system-service @module @raw-io bpf
+SystemCallFilter=~@clock
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes