It seems that this is caused by the following directive I have in a /etc/chrony.d/local.conf file: hwtimestamp eth0 Commenting this out will work with the default hardening enabled. I'll override the relevant directives in the systemd configuration, so feel free to close this report as invalid if this is intended behaviour. Note that only the following two directives need an override: [Service] PrivateDevices=false DeviceAllow=