units: set NoNewPrivileges= for all long-running services

Previously, setting this option by default was problematic due to
SELinux (as this would also prohibit the transition from PID1's label to
the service's label). However, this restriction has since been lifted,
hence let's start making use of this universally in our services.

On SELinux system this change should be synchronized with a policy
update that ensures that NNP-ful transitions from init_t to service
labels is permitted.

An while we are at it: sort the settings in the unit files this touches.
This might increase the size of the change in this case, but hopefully
should result in stabler patches later on.

Fixes: #1219

15 files changed, 186 insertions, 171 deletions

diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index 215696ecd1..ffcb5f36ca 100644
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -18,24 +18,25 @@ Before=shutdown.target
 
 [Service]
 ExecStart=-@rootlibexecdir@/systemd-coredump
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
 Nice=9
+NoNewPrivileges=yes
 OOMScoreAdjust=500
-RuntimeMaxSec=5min
-PrivateTmp=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=strict
-ProtectHome=yes
+PrivateTmp=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
 RestrictAddressFamilies=AF_UNIX
-SystemCallFilter=@system-service
-SystemCallErrorNumber=EPERM
-SystemCallArchitectures=native
-LockPersonality=yes
-IPAddressDeny=any
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RuntimeMaxSec=5min
 StateDirectory=systemd/coredump
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index da74b4fe8b..9c925e80d9 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -13,25 +13,26 @@ Documentation=man:systemd-hostnamed.service(8) man:hostname(5) man:machine-info(
 Documentation=https://www.freedesktop.org/wiki/Software/systemd/hostnamed
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-hostnamed
 BusName=org.freedesktop.hostname1
-WatchdogSec=3min
 CapabilityBoundingSet=CAP_SYS_ADMIN
-PrivateTmp=yes
+ExecStart=@rootlibexecdir@/systemd-hostnamed
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=strict
-ProtectHome=yes
+PrivateTmp=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ReadWritePaths=/etc
 RestrictAddressFamilies=AF_UNIX
-SystemCallFilter=@system-service sethostname
-SystemCallErrorNumber=EPERM
+RestrictNamespaces=yes
+RestrictRealtime=yes
 SystemCallArchitectures=native
-LockPersonality=yes
-IPAddressDeny=any
-ReadWritePaths=/etc
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service sethostname
+WatchdogSec=3min
diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in
index 2b4b957dce..c276283908 100644
--- a/units/systemd-initctl.service.in
+++ b/units/systemd-initctl.service.in
@@ -13,6 +13,7 @@ Documentation=man:systemd-initctl.service(8)
 DefaultDependencies=no
 
 [Service]
-NotifyAccess=all
 ExecStart=@rootlibexecdir@/systemd-initctl
+NoNewPrivileges=yes
+NotifyAccess=all
 SystemCallArchitectures=native
diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index a51d59d101..ebc8bf9a25 100644
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -13,22 +13,23 @@ Documentation=man:systemd-journal-gatewayd(8)
 Requires=systemd-journal-gatewayd.socket
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
-User=systemd-journal-gateway
-SupplementaryGroups=systemd-journal
 DynamicUser=yes
+ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectHome=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SupplementaryGroups=systemd-journal
 SystemCallArchitectures=native
-LockPersonality=yes
+User=systemd-journal-gateway
 
 # If there are many split up journal files we need a lot of fds to access them
 # all in parallel.
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index fa8682cd28..29a99aaec1 100644
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -14,23 +14,24 @@ Requires=systemd-journal-remote.socket
 
 [Service]
 ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/var/log/journal/remote/
-User=systemd-journal-remote
-WatchdogSec=3min
-PrivateTmp=yes
+LockPersonality=yes
+LogsDirectory=journal/remote
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=strict
-ProtectHome=yes
+PrivateTmp=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
 SystemCallArchitectures=native
-LockPersonality=yes
-LogsDirectory=journal/remote
+User=systemd-journal-remote
+WatchdogSec=3min
 
 # If there are many split up journal files we need a lot of fds to access them
 # all in parallel.
diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index 1ded990877..92cd4e5259 100644
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -14,23 +14,24 @@ Wants=network-online.target
 After=network-online.target
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state
-User=systemd-journal-upload
 DynamicUser=yes
-SupplementaryGroups=systemd-journal
-WatchdogSec=3min
+ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
-ProtectHome=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-SystemCallArchitectures=native
-LockPersonality=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
 StateDirectory=systemd/journal-upload
+SupplementaryGroups=systemd-journal
+SystemCallArchitectures=native
+User=systemd-journal-upload
+WatchdogSec=3min
 
 # If there are many split up journal files we need a lot of fds to access them
 # all in parallel.
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 41cac8cf65..4684f095c0 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -16,24 +16,25 @@ After=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-a
 Before=sysinit.target
 
 [Service]
-Type=notify
-Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
 ExecStart=@rootlibexecdir@/systemd-journald
-Restart=always
-RestartSec=0
-StandardOutput=null
-WatchdogSec=3min
 FileDescriptorStoreMax=4224
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
+IPAddressDeny=any
+LockPersonality=yes
 MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+NoNewPrivileges=yes
+Restart=always
+RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
-SystemCallFilter=@system-service
-SystemCallErrorNumber=EPERM
+RestrictNamespaces=yes
+RestrictRealtime=yes
+Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
+StandardOutput=null
 SystemCallArchitectures=native
-LockPersonality=yes
-IPAddressDeny=any
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+Type=notify
+WatchdogSec=3min
 
 # If there are many split up journal files we need a lot of fds to access them
 # all in parallel.
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index a24e61a0cd..01e0703d0e 100644
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -13,25 +13,26 @@ Documentation=man:systemd-localed.service(8) man:locale.conf(5) man:vconsole.con
 Documentation=https://www.freedesktop.org/wiki/Software/systemd/localed
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-localed
 BusName=org.freedesktop.locale1
-WatchdogSec=3min
 CapabilityBoundingSet=
-PrivateTmp=yes
+ExecStart=@rootlibexecdir@/systemd-localed
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=strict
-ProtectHome=yes
+PrivateTmp=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ReadWritePaths=/etc
 RestrictAddressFamilies=AF_UNIX
-SystemCallFilter=@system-service
-SystemCallErrorNumber=EPERM
+RestrictNamespaces=yes
+RestrictRealtime=yes
 SystemCallArchitectures=native
-LockPersonality=yes
-IPAddressDeny=any
-ReadWritePaths=/etc
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+WatchdogSec=3min
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 961263f607..38a7f269ac 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -20,22 +20,23 @@ Wants=dbus.socket
 After=dbus.socket
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-logind
-Restart=always
-RestartSec=0
 BusName=org.freedesktop.login1
-WatchdogSec=3min
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
+ExecStart=@rootlibexecdir@/systemd-logind
+FileDescriptorStoreMax=512
+IPAddressDeny=any
+LockPersonality=yes
 MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+NoNewPrivileges=yes
+Restart=always
+RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
-SystemCallFilter=@system-service
-SystemCallErrorNumber=EPERM
+RestrictNamespaces=yes
+RestrictRealtime=yes
 SystemCallArchitectures=native
-LockPersonality=yes
-IPAddressDeny=any
-FileDescriptorStoreMax=512
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+WatchdogSec=3min
 
 # Increase the default a bit in order to allow many simultaneous logins since
 # we keep one fd open per session.
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 1200a90a61..9f1476814d 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -16,18 +16,19 @@ After=machine.slice
 RequiresMountsFor=/var/lib/machines
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-machined
 BusName=org.freedesktop.machine1
-WatchdogSec=3min
 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
+ExecStart=@rootlibexecdir@/systemd-machined
+IPAddressDeny=any
+LockPersonality=yes
 MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
+NoNewPrivileges=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
-SystemCallFilter=@system-service @mount
-SystemCallErrorNumber=EPERM
+RestrictRealtime=yes
 SystemCallArchitectures=native
-LockPersonality=yes
-IPAddressDeny=any
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service @mount
+WatchdogSec=3min
 
 # Note that machined cannot be placed in a mount namespace, since it
 # needs access to the host's mount namespace in order to implement the
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 65d3e2a660..472ef045de 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -19,28 +19,29 @@ Conflicts=shutdown.target
 Wants=network.target
 
 [Service]
-Type=notify
-Restart=on-failure
-RestartSec=0
-ExecStart=!!@rootlibexecdir@/systemd-networkd
-WatchdogSec=3min
-User=systemd-network
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
-ProtectSystem=strict
-ProtectHome=yes
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+ExecStart=!!@rootlibexecdir@/systemd-networkd
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 ProtectControlGroups=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectSystem=strict
+Restart=on-failure
+RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
-SystemCallFilter=@system-service
-SystemCallErrorNumber=EPERM
-SystemCallArchitectures=native
-LockPersonality=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
 RuntimeDirectory=systemd/netif
 RuntimeDirectoryPreserve=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+Type=notify
+User=systemd-network
+WatchdogSec=3min
 
 [Install]
 WantedBy=multi-user.target
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index ef5398cbf0..3144b70063 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -20,31 +20,32 @@ Conflicts=shutdown.target
 Wants=nss-lookup.target
 
 [Service]
-Type=notify
-Restart=always
-RestartSec=0
-ExecStart=!!@rootlibexecdir@/systemd-resolved
-WatchdogSec=3min
-User=systemd-resolve
-CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
-PrivateTmp=yes
+CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
+ExecStart=!!@rootlibexecdir@/systemd-resolved
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
-ProtectSystem=strict
-ProtectHome=yes
+PrivateTmp=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+Restart=always
+RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
-SystemCallFilter=@system-service
-SystemCallErrorNumber=EPERM
-SystemCallArchitectures=native
-LockPersonality=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
 RuntimeDirectory=systemd/resolve
 RuntimeDirectoryPreserve=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+Type=notify
+User=systemd-resolve
+WatchdogSec=3min
 
 [Install]
 WantedBy=multi-user.target
diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in
index 4b68f0b5a7..3abb958310 100644
--- a/units/systemd-rfkill.service.in
+++ b/units/systemd-rfkill.service.in
@@ -17,7 +17,8 @@ After=sys-devices-virtual-misc-rfkill.device systemd-remount-fs.service
 Before=shutdown.target
 
 [Service]
-Type=notify
 ExecStart=@rootlibexecdir@/systemd-rfkill
-TimeoutSec=30s
+NoNewPrivileges=yes
 StateDirectory=systemd/rfkill
+TimeoutSec=30s
+Type=notify
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 906bb4326c..6d53024195 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -13,23 +13,24 @@ Documentation=man:systemd-timedated.service(8) man:localtime(5)
 Documentation=https://www.freedesktop.org/wiki/Software/systemd/timedated
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-timedated
 BusName=org.freedesktop.timedate1
-WatchdogSec=3min
 CapabilityBoundingSet=CAP_SYS_TIME
+ExecStart=@rootlibexecdir@/systemd-timedated
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateTmp=yes
-ProtectSystem=strict
-ProtectHome=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ReadWritePaths=/etc
 RestrictAddressFamilies=AF_UNIX
-SystemCallFilter=@system-service @clock
-SystemCallErrorNumber=EPERM
+RestrictNamespaces=yes
+RestrictRealtime=yes
 SystemCallArchitectures=native
-LockPersonality=yes
-IPAddressDeny=any
-ReadWritePaths=/etc
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service @clock
+WatchdogSec=3min
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 12f918dd11..03ade45d08 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -19,31 +19,32 @@ Conflicts=shutdown.target
 Wants=time-sync.target
 
 [Service]
-Type=notify
-Restart=always
-RestartSec=0
-ExecStart=!!@rootlibexecdir@/systemd-timesyncd
-WatchdogSec=3min
-User=systemd-timesync
-CapabilityBoundingSet=CAP_SYS_TIME
 AmbientCapabilities=CAP_SYS_TIME
-PrivateTmp=yes
+CapabilityBoundingSet=CAP_SYS_TIME
+ExecStart=!!@rootlibexecdir@/systemd-timesyncd
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
-ProtectSystem=strict
-ProtectHome=yes
+PrivateTmp=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+Restart=always
+RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
 RuntimeDirectory=systemd/timesync
-SystemCallFilter=@system-service @clock
-SystemCallErrorNumber=EPERM
-SystemCallArchitectures=native
-LockPersonality=yes
 StateDirectory=systemd/timesync
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service @clock
+Type=notify
+User=systemd-timesync
+WatchdogSec=3min
 
 [Install]
 WantedBy=sysinit.target