scrub/xfs_scrub_all.service.in - pub/scm/fs/xfs/xfsprogs-dev - Git at Google

 # SPDX-License-Identifier: GPL-2.0-or-later
 #
 # Copyright (C) 2018-2024 Oracle.  All Rights Reserved.
 # Author: Darrick J. Wong <djwong@kernel.org>

 [Unit]
 Description=Online XFS Metadata Check for All Filesystems
 OnFailure=xfs_scrub_all_fail.service
 ConditionACPower=true
 Documentation=man:xfs_scrub_all(8)
 After=paths.target multi-user.target network.target network-online.target systemd-networkd.service NetworkManager.service connman.service

 [Service]
 Type=oneshot
 Environment=SERVICE_MODE=1
 ExecStart=@sbindir@/xfs_scrub_all --auto-media-scan-interval @media_scan_interval@
 SyslogIdentifier=xfs_scrub_all

 # Create the service underneath the scrub background service slice so that we
 # can control resource usage.
 Slice=system-xfs_scrub.slice

 # Run scrub_all with minimal CPU and IO priority so that nothing will starve.
 IOSchedulingClass=idle
 CPUSchedulingPolicy=idle
 CPUAccounting=true
 Nice=19

 # No realtime scheduling
 RestrictRealtime=true

 # No special privileges, but we still have to run as root so that we can
 # contact the service manager to start the sub-units.
 CapabilityBoundingSet=
 NoNewPrivileges=true
 RestrictSUIDSGID=true

 # Make the entire filesystem readonly except for the media scan stamp file
 # directory.  We don't want to hide anything because we need to find all
 # mounted XFS filesystems in the host.
 ProtectSystem=strict
 ProtectHome=read-only
 PrivateTmp=false
 BindPaths=@pkg_state_dir@

 # No network access except to the systemd control socket
 PrivateNetwork=true
 ProtectHostname=true
 RestrictAddressFamilies=AF_UNIX
 IPAddressDeny=any

 # Don't let the program mess with the kernel configuration at all
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectControlGroups=true
 ProtectProc=invisible
 RestrictNamespaces=true

 # Hide everything in /proc, even /proc/mounts
 ProcSubset=pid

 # Only allow the default personality Linux
 LockPersonality=true

 # No writable memory pages
 MemoryDenyWriteExecute=true

 # Don't let our mounts leak out to the host
 PrivateMounts=true

 # Restrict system calls to the native arch and only enough to get things going
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallFilter=~@privileged
 SystemCallFilter=~@resources
 SystemCallFilter=~@mount

 # Media scan stamp file shouldn't be readable by regular users
 UMask=0077

 # lsblk ignores mountpoints if it can't find the device files, so we cannot
 # hide them
 #ProtectClock=true
 #PrivateDevices=true
	# SPDX-License-Identifier: GPL-2.0-or-later
	#
	# Copyright (C) 2018-2024 Oracle. All Rights Reserved.
	# Author: Darrick J. Wong <djwong@kernel.org>

	[Unit]
	Description=Online XFS Metadata Check for All Filesystems
	OnFailure=xfs_scrub_all_fail.service
	ConditionACPower=true
	Documentation=man:xfs_scrub_all(8)
	After=paths.target multi-user.target network.target network-online.target systemd-networkd.service NetworkManager.service connman.service

	[Service]
	Type=oneshot
	Environment=SERVICE_MODE=1
	ExecStart=@sbindir@/xfs_scrub_all --auto-media-scan-interval @media_scan_interval@
	SyslogIdentifier=xfs_scrub_all

	# Create the service underneath the scrub background service slice so that we
	# can control resource usage.
	Slice=system-xfs_scrub.slice

	# Run scrub_all with minimal CPU and IO priority so that nothing will starve.
	IOSchedulingClass=idle
	CPUSchedulingPolicy=idle
	CPUAccounting=true
	Nice=19

	# No realtime scheduling
	RestrictRealtime=true

	# No special privileges, but we still have to run as root so that we can
	# contact the service manager to start the sub-units.
	CapabilityBoundingSet=
	NoNewPrivileges=true
	RestrictSUIDSGID=true

	# Make the entire filesystem readonly except for the media scan stamp file
	# directory. We don't want to hide anything because we need to find all
	# mounted XFS filesystems in the host.
	ProtectSystem=strict
	ProtectHome=read-only
	PrivateTmp=false
	BindPaths=@pkg_state_dir@

	# No network access except to the systemd control socket
	PrivateNetwork=true
	ProtectHostname=true
	RestrictAddressFamilies=AF_UNIX
	IPAddressDeny=any

	# Don't let the program mess with the kernel configuration at all
	ProtectKernelLogs=true
	ProtectKernelModules=true
	ProtectKernelTunables=true
	ProtectControlGroups=true
	ProtectProc=invisible
	RestrictNamespaces=true

	# Hide everything in /proc, even /proc/mounts
	ProcSubset=pid

	# Only allow the default personality Linux
	LockPersonality=true

	# No writable memory pages
	MemoryDenyWriteExecute=true

	# Don't let our mounts leak out to the host
	PrivateMounts=true

	# Restrict system calls to the native arch and only enough to get things going
	SystemCallArchitectures=native
	SystemCallFilter=@system-service
	SystemCallFilter=~@privileged
	SystemCallFilter=~@resources
	SystemCallFilter=~@mount

	# Media scan stamp file shouldn't be readable by regular users
	UMask=0077

	# lsblk ignores mountpoints if it can't find the device files, so we cannot
	# hide them
	#ProtectClock=true
	#PrivateDevices=true