units: add ProtectClock=yes

Add `ProtectClock=yes` to systemd units. Since it implies certain
`DeviceAllow=` rules, make sure that the units have `DeviceAllow=` rules so
they are still able to access other devices. Exclude timesyncd and timedated.

Author: topimiettinen

units/systemd-journal-remote.service.in

@@ -21,6 +21,7 @@ NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
 PrivateTmp=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes

units/systemd-journald.service.in

@@ -25,6 +25,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 OOMScoreAdjust=-250
+ProtectClock=yes
 Restart=always
 RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK

units/systemd-logind.service.in

@@ -36,6 +36,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateTmp=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes

units/systemd-networkd.service.in

@@ -26,6 +26,7 @@ ExecStart=!!@rootlibexecdir@/systemd-networkd
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectKernelModules=yes

units/systemd-resolved.service.in

@@ -28,6 +28,7 @@ MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateTmp=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectKernelModules=yes

units/systemd-udevd.service.in

@@ -16,6 +16,8 @@ Before=sysinit.target
 ConditionPathIsReadWrite=/sys
 
 [Service]
+DeviceAllow=block-* rwm
+DeviceAllow=char-* rwm
 Type=notify
 # Note that udev also adjusts the OOM score internally and will reset the value internally for its workers
 OOMScoreAdjust=-1000
@@ -27,6 +29,7 @@ ExecReload=udevadm control --reload --timeout 0
 KillMode=mixed
 TasksMax=infinity
 PrivateMounts=yes
+ProtectClock=yes
 ProtectHostname=yes
 MemoryDenyWriteExecute=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6