scrub/xfs_scrub@.service.in - pub/scm/fs/xfs/xfsprogs-dev - Git at Google

 # SPDX-License-Identifier: GPL-2.0-or-later
 #
 # Copyright (C) 2018-2024 Oracle.  All Rights Reserved.
 # Author: Darrick J. Wong <djwong@kernel.org>

 [Unit]
 Description=Online XFS Metadata Check for %f
 OnFailure=xfs_scrub_fail@%i.service
 Documentation=man:xfs_scrub(8)

 # Explicitly require the capabilities that this program needs
 ConditionCapability=CAP_SYS_ADMIN
 ConditionCapability=CAP_FOWNER
 ConditionCapability=CAP_DAC_OVERRIDE
 ConditionCapability=CAP_DAC_READ_SEARCH
 ConditionCapability=CAP_SYS_RAWIO

 # Must be a mountpoint
 ConditionPathIsMountPoint=%f
 RequiresMountsFor=%f

 [Service]
 Type=oneshot
 Environment=SERVICE_MODE=1
 ExecStart=@sbindir@/xfs_scrub @scrub_service_args@ -M /tmp/scrub/ %f
 SyslogIdentifier=%N

 # Run scrub with minimal CPU and IO priority so that nothing else will starve.
 IOSchedulingClass=idle
 CPUSchedulingPolicy=idle
 CPUAccounting=true
 Nice=19

 # Create the service underneath the scrub background service slice so that we
 # can control resource usage.
 Slice=system-xfs_scrub.slice

 # No realtime CPU scheduling
 RestrictRealtime=true

 # Dynamically create a user that isn't root
 DynamicUser=true

 # Make the entire filesystem readonly and /home inaccessible, then bind mount
 # the filesystem we're supposed to be checking into our private /tmp dir.
 # 'norbind' means that we don't bind anything under that original mount.
 ProtectSystem=strict
 ProtectHome=yes
 PrivateTmp=true
 BindPaths=%f:/tmp/scrub:norbind

 # Don't let scrub complain about paths in /etc/projects that have been hidden
 # by our sandboxing.  scrub doesn't care about project ids anyway.
 InaccessiblePaths=-/etc/projects

 # No network access
 PrivateNetwork=true
 ProtectHostname=true
 RestrictAddressFamilies=none
 IPAddressDeny=any

 # Don't let the program mess with the kernel configuration at all
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectControlGroups=true
 ProtectProc=invisible
 RestrictNamespaces=true

 # Hide everything in /proc, even /proc/mounts
 ProcSubset=pid

 # Only allow the default personality Linux
 LockPersonality=true

 # No writable memory pages
 MemoryDenyWriteExecute=true

 # Don't let our mounts leak out to the host
 PrivateMounts=true

 # Restrict system calls to the native arch and only enough to get things going
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallFilter=~@privileged
 SystemCallFilter=~@resources
 SystemCallFilter=~@mount

 # xfs_scrub needs these privileges to run, and no others
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SYS_RAWIO
 AmbientCapabilities=CAP_SYS_ADMIN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SYS_RAWIO
 NoNewPrivileges=true

 # xfs_scrub doesn't create files
 UMask=7777

 # No access to hardware /dev files except for block devices
 ProtectClock=true
 DevicePolicy=closed
 DeviceAllow=block-*
	# SPDX-License-Identifier: GPL-2.0-or-later
	#
	# Copyright (C) 2018-2024 Oracle. All Rights Reserved.
	# Author: Darrick J. Wong <djwong@kernel.org>

	[Unit]
	Description=Online XFS Metadata Check for %f
	OnFailure=xfs_scrub_fail@%i.service
	Documentation=man:xfs_scrub(8)

	# Explicitly require the capabilities that this program needs
	ConditionCapability=CAP_SYS_ADMIN
	ConditionCapability=CAP_FOWNER
	ConditionCapability=CAP_DAC_OVERRIDE
	ConditionCapability=CAP_DAC_READ_SEARCH
	ConditionCapability=CAP_SYS_RAWIO

	# Must be a mountpoint
	ConditionPathIsMountPoint=%f
	RequiresMountsFor=%f

	[Service]
	Type=oneshot
	Environment=SERVICE_MODE=1
	ExecStart=@sbindir@/xfs_scrub @scrub_service_args@ -M /tmp/scrub/ %f
	SyslogIdentifier=%N

	# Run scrub with minimal CPU and IO priority so that nothing else will starve.
	IOSchedulingClass=idle
	CPUSchedulingPolicy=idle
	CPUAccounting=true
	Nice=19

	# Create the service underneath the scrub background service slice so that we
	# can control resource usage.
	Slice=system-xfs_scrub.slice

	# No realtime CPU scheduling
	RestrictRealtime=true

	# Dynamically create a user that isn't root
	DynamicUser=true

	# Make the entire filesystem readonly and /home inaccessible, then bind mount
	# the filesystem we're supposed to be checking into our private /tmp dir.
	# 'norbind' means that we don't bind anything under that original mount.
	ProtectSystem=strict
	ProtectHome=yes
	PrivateTmp=true
	BindPaths=%f:/tmp/scrub:norbind

	# Don't let scrub complain about paths in /etc/projects that have been hidden
	# by our sandboxing. scrub doesn't care about project ids anyway.
	InaccessiblePaths=-/etc/projects

	# No network access
	PrivateNetwork=true
	ProtectHostname=true
	RestrictAddressFamilies=none
	IPAddressDeny=any

	# Don't let the program mess with the kernel configuration at all
	ProtectKernelLogs=true
	ProtectKernelModules=true
	ProtectKernelTunables=true
	ProtectControlGroups=true
	ProtectProc=invisible
	RestrictNamespaces=true

	# Hide everything in /proc, even /proc/mounts
	ProcSubset=pid

	# Only allow the default personality Linux
	LockPersonality=true

	# No writable memory pages
	MemoryDenyWriteExecute=true

	# Don't let our mounts leak out to the host
	PrivateMounts=true

	# Restrict system calls to the native arch and only enough to get things going
	SystemCallArchitectures=native
	SystemCallFilter=@system-service
	SystemCallFilter=~@privileged
	SystemCallFilter=~@resources
	SystemCallFilter=~@mount

	# xfs_scrub needs these privileges to run, and no others
	CapabilityBoundingSet=CAP_SYS_ADMIN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SYS_RAWIO
	AmbientCapabilities=CAP_SYS_ADMIN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SYS_RAWIO
	NoNewPrivileges=true

	# xfs_scrub doesn't create files
	UMask=7777

	# No access to hardware /dev files except for block devices
	ProtectClock=true
	DevicePolicy=closed
	DeviceAllow=block-*