diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2019-05-01 15:28:36 +0300 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2019-06-20 14:03:57 +0200 |
commit | 9af2820694e1b2d409ed35cf0bca00acab0bdec5 (patch) | |
tree | bfb51a766ad692b4d6b17ee5519d6c0753f7a334 /units/systemd-timedated.service.in | |
parent | 762267cdc117895dd2b50657ebd6ea085a1aff8a (diff) | |
download | systemd-9af2820694e1b2d409ed35cf0bca00acab0bdec5.tar.gz |
units: deny access to block devices
While the need for access to character devices can be tricky to determine for
the general case, it's obvious that most of our services have no need to access
block devices. For logind and timedated this can be tightened further.
Diffstat (limited to 'units/systemd-timedated.service.in')
-rw-r--r-- | units/systemd-timedated.service.in | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index df546f471f..d430ee2017 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -15,6 +15,7 @@ Documentation=https://www.freedesktop.org/wiki/Software/systemd/timedated [Service] BusName=org.freedesktop.timedate1 CapabilityBoundingSet=CAP_SYS_TIME +DeviceAllow=char-rtc r ExecStart=@rootlibexecdir@/systemd-timedated IPAddressDeny=any LockPersonality=yes |