mirror of
https://github.com/systemd/systemd
synced 2024-07-22 10:44:58 +00:00
417116f234
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
32 lines
939 B
SYSTEMD
32 lines
939 B
SYSTEMD
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=Network Time Synchronization
|
|
Documentation=man:systemd-timesyncd.service(8)
|
|
ConditionCapability=CAP_SYS_TIME
|
|
DefaultDependencies=off
|
|
RequiresMountsFor=/var/lib/systemd/clock
|
|
After=systemd-remount-fs.service systemd-tmpfiles-setup.service
|
|
Before=sysinit.target shutdown.target
|
|
Conflicts=shutdown.target
|
|
|
|
[Service]
|
|
Type=notify
|
|
Restart=always
|
|
RestartSec=0
|
|
ExecStart=@rootlibexecdir@/systemd-timesyncd
|
|
CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
|
|
PrivateTmp=yes
|
|
PrivateDevices=yes
|
|
ReadOnlySystem=yes
|
|
ProtectedHome=yes
|
|
WatchdogSec=1min
|
|
|
|
[Install]
|
|
WantedBy=sysinit.target
|