blob: b5718263b2722478dfb8f43df7cea9e688cac26d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
# SPDX-License-Identifier: GPL-2.0
#
# Copyright (C) 2023-2024 Oracle. All Rights Reserved.
# Author: Darrick J. Wong <djwong@kernel.org>
[Unit]
Description=Online bcachefsck for All Filesystems
OnFailure=bcachefsck_all_fail.service
ConditionACPower=true
Documentation=man:bcachefsck_all(8)
After=paths.target multi-user.target network.target network-online.target systemd-networkd.service NetworkManager.service connman.service
[Service]
Type=oneshot
Environment=SERVICE_MODE=1
ExecStart=@libexecdir@/bcachefsck_all
SyslogIdentifier=bcachefsck_all
# Create the service underneath the scrub background service slice so that we
# can control resource usage.
Slice=system-bcachefsck.slice
# Run scrub_all with minimal CPU and IO priority so that nothing will starve.
IOSchedulingClass=idle
CPUSchedulingPolicy=idle
CPUAccounting=true
Nice=19
# No realtime scheduling
RestrictRealtime=true
# No special privileges, but we still have to run as root so that we can
# contact the service manager to start the sub-units.
CapabilityBoundingSet=
NoNewPrivileges=true
RestrictSUIDSGID=true
# Make the entire filesystem readonly except for the media scan stamp file
# directory. We don't want to hide anything because we need to find all
# mounted bcachefs filesystems in the host.
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=false
# No network access except to the systemd control socket
PrivateNetwork=true
ProtectHostname=true
RestrictAddressFamilies=AF_UNIX
IPAddressDeny=any
# Don't let the program mess with the kernel configuration at all
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
ProtectProc=invisible
RestrictNamespaces=true
# Hide everything in /proc, even /proc/mounts
ProcSubset=pid
# Only allow the default personality Linux
LockPersonality=true
# No writable memory pages
MemoryDenyWriteExecute=true
# Don't let our mounts leak out to the host
PrivateMounts=true
# Restrict system calls to the native arch and only enough to get things going
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
SystemCallFilter=~@mount
# Media scan stamp file shouldn't be readable by regular users
UMask=0077
# lsblk ignores mountpoints if it can't find the device files, so we cannot
# hide them
#ProtectClock=true
#PrivateDevices=true
|
