diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 14075cb4e7..82dfa45664 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -2322,15 +2322,15 @@ RestrictFileSystems=ext4
restrictions on namespace creation and switching are made. If true, access to any kind of namespacing is
prohibited. Otherwise, a space-separated list of namespace type identifiers must be specified, consisting of
any combination of: cgroup, ipc, net,
- mnt, pid, user and uts. Any
- namespace type listed is made accessible to the unit's processes, access to namespace types not listed is
- prohibited (allow-listing). By prepending the list with a single tilde character (~) the
- effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are
- permitted (deny-listing). If the empty string is assigned, the default namespace restrictions are applied,
- which is equivalent to false. This option may appear more than once, in which case the namespace types are
- merged by OR, or by AND if the lines are prefixed with
- ~ (see examples below). Internally, this setting limits access to the
- unshare2,
+ mnt, pid, user, uts, and
+ time. Any namespace type listed is made accessible to the unit's processes, access to
+ namespace types not listed is prohibited (allow-listing). By prepending the list with a single tilde
+ character (~) the effect may be inverted: only the listed namespace types will be made
+ inaccessible, all unlisted ones are permitted (deny-listing). If the empty string is assigned, the default
+ namespace restrictions are applied, which is equivalent to false. This option may appear more than once, in
+ which case the namespace types are merged by OR, or by AND if the
+ lines are prefixed with ~ (see examples below). Internally, this setting limits access to
+ the unshare2,
clone2 and
setns2 system calls, taking
the specified flags parameters into account. Note that — if this option is used — in addition to restricting
diff --git a/src/shared/nsflags.h b/src/shared/nsflags.h
index c4ff82df6c..7c6214a3bb 100644
--- a/src/shared/nsflags.h
+++ b/src/shared/nsflags.h
@@ -14,7 +14,8 @@
CLONE_NEWNS| \
CLONE_NEWPID| \
CLONE_NEWUSER| \
- CLONE_NEWUTS))
+ CLONE_NEWUTS| \
+ CLONE_NEWTIME))
#define NAMESPACE_FLAGS_INITIAL ULONG_MAX
diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
index 459708ee00..b400908978 100644
--- a/src/test/test-seccomp.c
+++ b/src/test/test-seccomp.c
@@ -295,7 +295,7 @@ TEST(restrict_namespace) {
s = mfree(s);
assert_se(namespace_flags_to_string(NAMESPACE_FLAGS_ALL, &s) == 0);
- ASSERT_STREQ(s, "cgroup ipc net mnt pid user uts");
+ ASSERT_STREQ(s, "cgroup ipc net mnt pid user uts time");
assert_se(namespace_flags_from_string(s, &ul) == 0 && ul == NAMESPACE_FLAGS_ALL);
s = mfree(s);
diff --git a/test/units/TEST-07-PID1.exec-context.sh b/test/units/TEST-07-PID1.exec-context.sh
index 402a3b3498..1e253b390d 100755
--- a/test/units/TEST-07-PID1.exec-context.sh
+++ b/test/units/TEST-07-PID1.exec-context.sh
@@ -415,3 +415,7 @@ fi
(! systemd-run --wait --pipe -p RootDirectory=/tmp/root this-shouldnt-exist)
(! systemd-run --wait --pipe -p RootDirectory=/tmp/root /foo)
(! systemd-run --wait --pipe --service-type=oneshot -p ExecStartPre=-/foo/bar/baz -p ExecStart=-/foo/bar/baz -p RootDirectory=/tmp/root -- "- foo")
+
+# RestrictNamespaces=
+systemd-run --wait --pipe unshare -T true
+(! systemd-run --wait --pipe -p RestrictNamespaces=~time unshare -T true)