scrub/xfs_scrub_fail@.service.in - pub/scm/fs/xfs/xfsprogs-dev - Git at Google

 # SPDX-License-Identifier: GPL-2.0-or-later
 #
 # Copyright (C) 2018-2024 Oracle.  All Rights Reserved.
 # Author: Darrick J. Wong <djwong@kernel.org>

 [Unit]
 Description=Online XFS Metadata Check Failure Reporting for %f
 Documentation=man:xfs_scrub(8)

 [Service]
 Type=oneshot
 Environment=EMAIL_ADDR=root
 ExecStart=@pkg_libexec_dir@/xfs_scrub_fail "${EMAIL_ADDR}" xfs_scrub %f
 User=mail
 Group=mail
 SupplementaryGroups=systemd-journal

 # Create the service underneath the scrub background service slice so that we
 # can control resource usage.
 Slice=system-xfs_scrub.slice

 # No realtime scheduling
 RestrictRealtime=true

 # Make the entire filesystem readonly and /home inaccessible.
 ProtectSystem=full
 ProtectHome=yes
 PrivateTmp=true
 RestrictSUIDSGID=true

 # Emailing reports requires network access, but not the ability to change the
 # hostname.
 ProtectHostname=true

 # Don't let the program mess with the kernel configuration at all
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectControlGroups=true
 ProtectProc=invisible
 RestrictNamespaces=true

 # Can't hide /proc because journalctl needs it to find various pieces of log
 # information
 #ProcSubset=pid

 # Only allow the default personality Linux
 LockPersonality=true

 # No writable memory pages
 MemoryDenyWriteExecute=true

 # Don't let our mounts leak out to the host
 PrivateMounts=true

 # Restrict system calls to the native arch and only enough to get things going
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallFilter=~@privileged
 SystemCallFilter=~@resources
 SystemCallFilter=~@mount

 # xfs_scrub needs these privileges to run, and no others
 CapabilityBoundingSet=
 NoNewPrivileges=true

 # Failure reporting shouldn't create world-readable files
 UMask=0077

 # Clean up any IPC objects when this unit stops
 RemoveIPC=true

 # No access to hardware device files
 PrivateDevices=true
 ProtectClock=true
	# SPDX-License-Identifier: GPL-2.0-or-later
	#
	# Copyright (C) 2018-2024 Oracle. All Rights Reserved.
	# Author: Darrick J. Wong <djwong@kernel.org>

	[Unit]
	Description=Online XFS Metadata Check Failure Reporting for %f
	Documentation=man:xfs_scrub(8)

	[Service]
	Type=oneshot
	Environment=EMAIL_ADDR=root
	ExecStart=@pkg_libexec_dir@/xfs_scrub_fail "${EMAIL_ADDR}" xfs_scrub %f
	User=mail
	Group=mail
	SupplementaryGroups=systemd-journal

	# Create the service underneath the scrub background service slice so that we
	# can control resource usage.
	Slice=system-xfs_scrub.slice

	# No realtime scheduling
	RestrictRealtime=true

	# Make the entire filesystem readonly and /home inaccessible.
	ProtectSystem=full
	ProtectHome=yes
	PrivateTmp=true
	RestrictSUIDSGID=true

	# Emailing reports requires network access, but not the ability to change the
	# hostname.
	ProtectHostname=true

	# Don't let the program mess with the kernel configuration at all
	ProtectKernelLogs=true
	ProtectKernelModules=true
	ProtectKernelTunables=true
	ProtectControlGroups=true
	ProtectProc=invisible
	RestrictNamespaces=true

	# Can't hide /proc because journalctl needs it to find various pieces of log
	# information
	#ProcSubset=pid

	# Only allow the default personality Linux
	LockPersonality=true

	# No writable memory pages
	MemoryDenyWriteExecute=true

	# Don't let our mounts leak out to the host
	PrivateMounts=true

	# Restrict system calls to the native arch and only enough to get things going
	SystemCallArchitectures=native
	SystemCallFilter=@system-service
	SystemCallFilter=~@privileged
	SystemCallFilter=~@resources
	SystemCallFilter=~@mount

	# xfs_scrub needs these privileges to run, and no others
	CapabilityBoundingSet=
	NoNewPrivileges=true

	# Failure reporting shouldn't create world-readable files
	UMask=0077

	# Clean up any IPC objects when this unit stops
	RemoveIPC=true

	# No access to hardware device files
	PrivateDevices=true
	ProtectClock=true