1 files changed, 20 insertions, 18 deletions

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 4a490b6e16..03ade45d08 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -13,36 +13,38 @@ Documentation=man:systemd-timesyncd.service(8)
 ConditionCapability=CAP_SYS_TIME
 ConditionVirtualization=!container
 DefaultDependencies=no
-After=systemd-remount-fs.service
+After=systemd-remount-fs.service systemd-sysusers.service
 Before=time-sync.target sysinit.target shutdown.target
 Conflicts=shutdown.target
 Wants=time-sync.target
 
 [Service]
-Type=notify
-Restart=always
-RestartSec=0
-ExecStart=!!@rootlibexecdir@/systemd-timesyncd
-WatchdogSec=3min
-User=systemd-timesync
-DynamicUser=yes
-CapabilityBoundingSet=CAP_SYS_TIME
 AmbientCapabilities=CAP_SYS_TIME
+CapabilityBoundingSet=CAP_SYS_TIME
+ExecStart=!!@rootlibexecdir@/systemd-timesyncd
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
-ProtectHome=yes
+PrivateTmp=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+Restart=always
+RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
 RuntimeDirectory=systemd/timesync
-SystemCallFilter=@system-service @clock
-SystemCallErrorNumber=EPERM
-SystemCallArchitectures=native
-LockPersonality=yes
 StateDirectory=systemd/timesync
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service @clock
+Type=notify
+User=systemd-timesync
+WatchdogSec=3min
 
 [Install]
 WantedBy=sysinit.target