···

       
192
       
192
       
 
       
        serviceConfig.MemoryDenyWriteExecute = true;

     

       
193
       
193
       
 
       
        serviceConfig.NoNewPrivileges = true;

     

       
194
       
194
       
 
       
        serviceConfig.PrivateDevices = true;

     

       
195
       
195
       
-
       
        serviceConfig.ProtectClock = true;

     

       
195
       
195
       
+
       
        serviceConfig.ProtectClock = mkDefault true;

     

       
196
       
196
       
 
       
        serviceConfig.ProtectControlGroups = true;

     

       
197
       
197
       
 
       
        serviceConfig.ProtectHome = true;

     

       
198
       
198
       
 
       
        serviceConfig.ProtectHostname = true;

     

···

       
37
       
37
       
 
       
      '';

     

       
38
       
38
       
 
       
      # The systemd collector needs AF_UNIX

     

       
39
       
39
       
 
       
      RestrictAddressFamilies = lib.optional (lib.any (x: x == "systemd") cfg.enabledCollectors) "AF_UNIX";

     

       
40
       
40
       
+
       
      # The timex collector needs to access clock APIs

     

       
41
       
41
       
+
       
      ProtectClock = lib.any (x: x == "timex") cfg.disabledCollectors;

     

       
40
       
42
       
 
       
    };

     

       
41
       
43
       
 
       
  };

     

       
42
       
44
       
 
       
}