diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 795e26e792..a96e5c22d0 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1826,17 +1826,22 @@ BindReadOnlyPaths=/var/lib/systemd ProtectClock= - Takes a boolean argument. If set, writes to the hardware clock or system clock will be denied. - It is recommended to turn this on for most services that do not need modify the clock. Defaults to off. Enabling - this option removes CAP_SYS_TIME and CAP_WAKE_ALARM from the - capability bounding set for this unit, installs a system call filter to block calls that can set the - clock, and DeviceAllow=char-rtc r is implied. This ensures /dev/rtc0, - /dev/rtc1, etc. are made read-only to the service. See + Takes a boolean argument. If set, writes to the hardware clock or system clock will + be denied. Defaults to off. Enabling this option removes CAP_SYS_TIME and + CAP_WAKE_ALARM from the capability bounding set for this unit, installs a system + call filter to block calls that can set the clock, and DeviceAllow=char-rtc r is + implied. Note that the system calls are blocked altogether, the filter does not take into account + that some of the calls can be used to read the clock state with some parameter combinations. + Effectively, /dev/rtc0, /dev/rtc1, etc. are made read-only + to the service. See systemd.resource-control5 - for the details about DeviceAllow=. If this setting is on, but the unit - doesn't have the CAP_SYS_ADMIN capability (e.g. services for which + for the details about DeviceAllow=. If this setting is on, but the unit doesn't + have the CAP_SYS_ADMIN capability (e.g. services for which User= is set), NoNewPrivileges=yes is implied. + It is recommended to turn this on for most services that do not need modify the clock or check + its state. +