« Back to Settings for systemd units

ProtectClock setting

This article has last been updated at .

The property ProtectClock is a systemd unit setting used for sandboxing. It is available since systemd 245.

Purpose: limit access to clock information

New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.

Why and when to use ProtectClock

The setting ProtectClock reduces access the clock information.

Configuration options of ProtectClock

When this setting is not configured or disabled (e.g. no) access to clock information is not restricted. When set (e.g. true), the service will no longer have access to clock information. A system function call like clock_adjtime(2) will fail.

Generic advice

For most services ProtectClock=yes can be used, unless it really depends on retrieving clock information.

Testing

To see if a program works with this property, consider using the systemd-run command.

systemd-run --pty --property=ProtectClock=yes /path/to/PROGRAM

Another option is to use strace and monitor for syscalls related to the clock.

#include <stdio.h>
#include <sys/timex.h>

int main(int argc, char *argv[]) {
    struct ntptimeval timestate = {0};
    // Try to get the time using the syscall clock_adjtime
    ntp_gettime(&timestate);
    // Returns Success if it worked
    perror("clock_adjtime");
}

Compile the program using gcc:

gcc protectclock.c

Then run it:

./a.out

To look at the syscalls being used:

strace ./a.out

Example when the clock is accessible:

clock_adjtime(CLOCK_REALTIME, {modes=0, offset=479672, freq=634399, maxerror=175500, esterror=0, status=STA_PLL|STA_NANO, constant=7, precision=1, tolerance=32768000, time={tv_sec=1731537097, tv_usec=153901179}, tick=10000, ppsfreq=0, jitter=0, shift=0, stabil=0, jitcnt=0, calcnt=0, errcnt=0, stbcnt=0, tai=0}) = 0 (TIME_OK)

Values

Systemd unit setting ProtectClock expects a boolean (yes/no or true/false).

Values for systemd unit setting ProtectClock
ValueIntended actionAvailable since
systemd version
nonormal access allowed to clock information - default
yesprocesses can't retrieve or adjust clock information

Example to show the current value of ProtectClock for the ssh service:

systemctl show --property=ProtectClock ssh.service

Related hardening profiles

The systemd unit setting ProtectClock is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.

Relevant commands in this article

Like to learn more about the commands that were used in this article? Have a look, for some there is also a cheat sheet available.

  • gcc
  • stracecheat sheet
  • systemd-run

See the full list of Linux commands for additional system administration tools.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.