ProtectClock setting
The property ProtectClock is a systemd unit setting used for sandboxing. It is available since systemd 245.
Purpose: limit access to clock information
Why and when to use ProtectClock
The setting ProtectClock reduces access the clock information.
Configuration options of ProtectClock
When this setting is not configured or disabled (e.g. no) access to clock information is not restricted. When set (e.g. true), the service will no longer have access to clock information. A system function call like clock_adjtime(2) will fail.
Generic advice
For most services ProtectClock=yes can be used, unless it really depends on retrieving clock information.
Testing
To see if a program works with this property, consider using the systemd-run command.
systemd-run --pty --property=ProtectClock=yes /path/to/PROGRAM
Another option is to use strace and monitor for syscalls related to the clock.
#include <stdio.h>
#include <sys/timex.h>
int main(int argc, char *argv[]) {
struct ntptimeval timestate = {0};
// Try to get the time using the syscall clock_adjtime
ntp_gettime(×tate);
// Returns Success if it worked
perror("clock_adjtime");
}
Compile the program:
gcc protectclock.c
Then run it:
./a.out
To look at the syscalls being used:
strace ./a.out
Example when the clock is accessible:
clock_adjtime(CLOCK_REALTIME, {modes=0, offset=479672, freq=634399, maxerror=175500, esterror=0, status=STA_PLL|STA_NANO, constant=7, precision=1, tolerance=32768000, time={tv_sec=1731537097, tv_usec=153901179}, tick=10000, ppsfreq=0, jitter=0, shift=0, stabil=0, jitcnt=0, calcnt=0, errcnt=0, stbcnt=0, tai=0}) = 0 (TIME_OK)
Values
This setting expects a boolean (yes or no).
- no: normal access allowed to clock information - default
- yes: processes can't retrieve or adjust clock information
Example to show the current value of ProtectClock for the dmesg service:
systemctl show --property=ProtectClock dmesg.serviceRelated hardening profiles
The systemd unit setting ProtectClock is used in the following hardening profiles.
