units: set NoNewPrivileges= for all long-running services

Previously, setting this option by default was problematic due to
SELinux (as this would also prohibit the transition from PID1's label to
the service's label). However, this restriction has since been lifted,
hence let's start making use of this universally in our services.

On SELinux system this change should be synchronized with a policy
update that ensures that NNP-ful transitions from init_t to service
labels is permitted.

An while we are at it: sort the settings in the unit files this touches.
This might increase the size of the change in this case, but hopefully
should result in stabler patches later on.

Fixes: #1219

15 files changed, 186 insertions, 171 deletions

diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index 215696ecd..ffcb5f36c 100644
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -18,24 +18,25 @@ Before=shutdown.target
 
 [Service]
 ExecStart=-@rootlibexecdir@/systemd-coredump
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
 Nice=9
+NoNewPrivileges=yes
 OOMScoreAdjust=500
-RuntimeMaxSec=5min
-PrivateTmp=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=strict
-ProtectHome=yes
+PrivateTmp=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
 RestrictAddressFamilies=AF_UNIX
-SystemCallFilter=@system-service
-SystemCallErrorNumber=EPERM
-SystemCallArchitectures=native
-LockPersonality=yes
-IPAddressDeny=any
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RuntimeMaxSec=5min
 StateDirectory=systemd/coredump
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index da74b4fe8..9c925e80d 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -13,25 +13,26 @@ Documentation=man:systemd-hostnamed.service(8) man:hostname(5) man:machine-info(
 Documentation=https://www.freedesktop.org/wiki/Software/systemd/hostnamed
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-hostnamed
 BusName=org.freedesktop.hostname1
-WatchdogSec=3min
 CapabilityBoundingSet=CAP_SYS_ADMIN
-PrivateTmp=yes
+ExecStart=@rootlibexecdir@/systemd-hostnamed
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=strict
-ProtectHome=yes
+PrivateTmp=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ReadWritePaths=/etc
 RestrictAddressFamilies=AF_UNIX
-SystemCallFilter=@system-service sethostname
-SystemCallErrorNumber=EPERM
+RestrictNamespaces=yes
+RestrictRealtime=yes
 SystemCallArchitectures=native
-LockPersonality=yes
-IPAddressDeny=any
-ReadWritePaths=/etc
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service sethostname
+WatchdogSec=3min
diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in
index 2b4b957dc..c27628390 100644
--- a/units/systemd-initctl.service.in
+++ b/units/systemd-initctl.service.in
@@ -13,6 +13,7 @@ Documentation=man:systemd-initctl.service(8)
 DefaultDependencies=no
 
 [Service]
-NotifyAccess=all
 ExecStart=@rootlibexecdir@/systemd-initctl
+NoNewPrivileges=yes
+NotifyAccess=all
 SystemCallArchitectures=native
diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index a51d59d10..ebc8bf9a2 100644
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -13,22 +13,23 @@ Documentation=man:systemd-journal-gatewayd(8)
 Requires=systemd-journal-gatewayd.socket
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
-User=systemd-journal-gateway
-SupplementaryGroups=systemd-journal
 DynamicUser=yes
+ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectHome=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SupplementaryGroups=systemd-journal
 SystemCallArchitectures=native
-LockPersonality=yes
+User=systemd-journal-gateway
 
 # If there are many split up journal files we need a lot of fds to access them
 # all in parallel.
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index fa8682cd2..29a99aaec 100644
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -14,23 +14,24 @@ Requires=systemd-journal-remote.socket
 
 [Service]
 ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/var/log/journal/remote/
-User=systemd-journal-remote
-WatchdogSec=3min
-PrivateTmp=yes
+LockPersonality=yes
+LogsDirectory=journal/remote
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=strict
-ProtectHome=yes
+PrivateTmp=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
 SystemCallArchitectures=native
-LockPersonality=yes
-LogsDirectory=journal/remote
+User=systemd-journal-remote
+WatchdogSec=3min
 
 # If there are many split up journal files we need a lot of fds to access them
 # all in parallel.
diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index 1ded99087..92cd4e525 100644
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -14,23 +14,24 @@ Wants=network-online.target
 After=network-online.target
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state
-User=systemd-journal-upload
 DynamicUser=yes
-SupplementaryGroups=systemd-journal
-WatchdogSec=3min
+ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
-ProtectHome=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-SystemCallArchitectures=native
-LockPersonality=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
 StateDirectory=systemd/journal-upload
+SupplementaryGroups=systemd-journal
+SystemCallArchitectures=native
+User=systemd-journal-upload
+WatchdogSec=3min
 
 # If there are many split up journal files we need a lot of fds to access them
 # all in parallel.
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 41cac8cf6..4684f095c 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -16,24 +16,25 @@ After=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-a
 Before=sysinit.target
 
 [Service]
-Type=notify
-Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
 ExecStart=@rootlibexecdir@/systemd-journald
-Restart=always
-RestartSec=0
-StandardOutput=null
-WatchdogSec=3min
 FileDescriptorStoreMax=4224
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
+IPAddressDeny=any
+LockPersonality=yes
 MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+NoNewPrivileges=yes
+Restart=always
+RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
-SystemCallFilter=@system-service
-SystemCallErrorNumber=EPERM
+RestrictNamespaces=yes
+RestrictRealtime=yes
+Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
+StandardOutput=null
 SystemCallArchitectures=native
-LockPersonality=yes
-IPAddressDeny=any
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+Type=notify
+WatchdogSec=3min
 
 # If there are many split up journal files we need a lot of fds to access them
 # all in parallel.
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index a24e61a0c..01e0703d0 100644
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -13,25 +13,26 @@ Documentation=man:systemd-localed.service(8) man:locale.conf(5) man:vconsole.con
 Documentation=https://www.freedesktop.org/wiki/Software/systemd/localed
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-localed
 BusName=org.freedesktop.locale1
-WatchdogSec=3min
 CapabilityBoundingSet=
-PrivateTmp=yes
+ExecStart=@rootlibexecdir@/systemd-localed
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=strict
-ProtectHome=yes
+PrivateTmp=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ReadWritePaths=/etc
 RestrictAddressFamilies=AF_UNIX
-SystemCallFilter=@system-service
-SystemCallErrorNumber=EPERM
+RestrictNamespaces=yes
+RestrictRealtime=yes
 SystemCallArchitectures=native
-LockPersonality=yes
-IPAddressDeny=any
-ReadWritePaths=/etc
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+WatchdogSec=3min
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 961263f60..38a7f269a 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -20,22 +20,23 @@ Wants=dbus.socket
 After=dbus.socket
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-logind
-Restart=always
-RestartSec=0
 BusName=org.freedesktop.login1
-WatchdogSec=3min
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
+ExecStart=@rootlibexecdir@/systemd-logind
+FileDescriptorStoreMax=512
+IPAddressDeny=any
+LockPersonality=yes
 MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+NoNewPrivileges=yes
+Restart=always
+RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
-SystemCallFilter=@system-service
-SystemCallErrorNumber=EPERM
+RestrictNamespaces=yes
+RestrictRealtime=yes
 SystemCallArchitectures=native
-LockPersonality=yes
-IPAddressDeny=any
-FileDescriptorStoreMax=512
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+WatchdogSec=3min
 
 # Increase the default a bit in order to allow many simultaneous logins since
 # we keep one fd open per session.
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 1200a90a6..9f1476814 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -16,18 +16,19 @@ After=machine.slice
 RequiresMountsFor=/var/lib/machines
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-machined
 BusName=org.freedesktop.machine1
-WatchdogSec=3min
 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
+ExecStart=@rootlibexecdir@/systemd-machined
+IPAddressDeny=any
+LockPersonality=yes
 MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
+NoNewPrivileges=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
-SystemCallFilter=@system-service @mount
-SystemCallErrorNumber=EPERM
+RestrictRealtime=yes
 SystemCallArchitectures=native
-LockPersonality=yes
-IPAddressDeny=any
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service @mount
+WatchdogSec=3min
 
 # Note that machined cannot be placed in a mount namespace, since it
 # needs access to the host's mount namespace in order to implement the
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 65d3e2a66..472ef045d 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -19,28 +19,29 @@ Conflicts=shutdown.target
 Wants=network.target
 
 [Service]
-Type=notify
-Restart=on-failure
-RestartSec=0
-ExecStart=!!@rootlibexecdir@/systemd-networkd
-WatchdogSec=3min
-User=systemd-network
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
-ProtectSystem=strict
-ProtectHome=yes
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+ExecStart=!!@rootlibexecdir@/systemd-networkd
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 ProtectControlGroups=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectSystem=strict
+Restart=on-failure
+RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
-SystemCallFilter=@system-service
-SystemCallErrorNumber=EPERM
-SystemCallArchitectures=native
-LockPersonality=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
 RuntimeDirectory=systemd/netif
 RuntimeDirectoryPreserve=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+Type=notify
+User=systemd-network
+WatchdogSec=3min
 
 [Install]
 WantedBy=multi-user.target
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index ef5398cbf..3144b7006 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -20,31 +20,32 @@ Conflicts=shutdown.target
 Wants=nss-lookup.target
 
 [Service]
-Type=notify
-Restart=always
-RestartSec=0
-ExecStart=!!@rootlibexecdir@/systemd-resolved
-WatchdogSec=3min
-User=systemd-resolve
-CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
-PrivateTmp=yes
+CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
+ExecStart=!!@rootlibexecdir@/systemd-resolved
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
-ProtectSystem=strict
-ProtectHome=yes
+PrivateTmp=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+Restart=always
+RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
-SystemCallFilter=@system-service
-SystemCallErrorNumber=EPERM
-SystemCallArchitectures=native
-LockPersonality=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
 RuntimeDirectory=systemd/resolve
 RuntimeDirectoryPreserve=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+Type=notify
+User=systemd-resolve
+WatchdogSec=3min
 
 [Install]
 WantedBy=multi-user.target
diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in
index 4b68f0b5a..3abb95831 100644
--- a/units/systemd-rfkill.service.in
+++ b/units/systemd-rfkill.service.in
@@ -17,7 +17,8 @@ After=sys-devices-virtual-misc-rfkill.device systemd-remount-fs.service
 Before=shutdown.target
 
 [Service]
-Type=notify
 ExecStart=@rootlibexecdir@/systemd-rfkill
-TimeoutSec=30s
+NoNewPrivileges=yes
 StateDirectory=systemd/rfkill
+TimeoutSec=30s
+Type=notify
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 906bb4326..6d5302419 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -13,23 +13,24 @@ Documentation=man:systemd-timedated.service(8) man:localtime(5)
 Documentation=https://www.freedesktop.org/wiki/Software/systemd/timedated
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-timedated
 BusName=org.freedesktop.timedate1
-WatchdogSec=3min
 CapabilityBoundingSet=CAP_SYS_TIME
+ExecStart=@rootlibexecdir@/systemd-timedated
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateTmp=yes
-ProtectSystem=strict
-ProtectHome=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ReadWritePaths=/etc
 RestrictAddressFamilies=AF_UNIX
-SystemCallFilter=@system-service @clock
-SystemCallErrorNumber=EPERM
+RestrictNamespaces=yes
+RestrictRealtime=yes
 SystemCallArchitectures=native
-LockPersonality=yes
-IPAddressDeny=any
-ReadWritePaths=/etc
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service @clock
+WatchdogSec=3min
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 12f918dd1..03ade45d0 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -19,31 +19,32 @@ Conflicts=shutdown.target
 Wants=time-sync.target
 
 [Service]
-Type=notify
-Restart=always
-RestartSec=0
-ExecStart=!!@rootlibexecdir@/systemd-timesyncd
-WatchdogSec=3min
-User=systemd-timesync
-CapabilityBoundingSet=CAP_SYS_TIME
 AmbientCapabilities=CAP_SYS_TIME
-PrivateTmp=yes
+CapabilityBoundingSet=CAP_SYS_TIME
+ExecStart=!!@rootlibexecdir@/systemd-timesyncd
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
-ProtectSystem=strict
-ProtectHome=yes
+PrivateTmp=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+Restart=always
+RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
 RuntimeDirectory=systemd/timesync
-SystemCallFilter=@system-service @clock
-SystemCallErrorNumber=EPERM
-SystemCallArchitectures=native
-LockPersonality=yes
 StateDirectory=systemd/timesync
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service @clock
+Type=notify
+User=systemd-timesync
+WatchdogSec=3min
 
 [Install]
 WantedBy=sysinit.target