blob: 8d5ed4c6b15ace894853ace44faf326b23f87984 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
# SPDX-License-Identifier: GPL-2.0
#
# Copyright (C) 2023-2024 Oracle. All Rights Reserved.
# Author: Darrick J. Wong <djwong@kernel.org>
[Unit]
Description=Online bcachefsck Failure Reporting for %f
Documentation=man:bcachefs(8)
[Service]
Type=oneshot
Environment=EMAIL_ADDR=root
ExecStart=@libexecdir@/bcachefsck_fail "${EMAIL_ADDR}" bcachefs %f
User=mail
Group=mail
SupplementaryGroups=systemd-journal
# Create the service underneath the background service slice so that we can
# control resource usage.
Slice=system-bcachefsck.slice
# No realtime scheduling
RestrictRealtime=true
# Make the entire filesystem readonly and /home inaccessible.
ProtectSystem=full
ProtectHome=yes
PrivateTmp=true
RestrictSUIDSGID=true
# Emailing reports requires network access, but not the ability to change the
# hostname.
ProtectHostname=true
# Don't let the program mess with the kernel configuration at all
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
ProtectProc=invisible
RestrictNamespaces=true
# Can't hide /proc because journalctl needs it to find various pieces of log
# information
#ProcSubset=pid
# Only allow the default personality Linux
LockPersonality=true
# No writable memory pages
MemoryDenyWriteExecute=true
# Don't let our mounts leak out to the host
PrivateMounts=true
# Restrict system calls to the native arch and only enough to get things going
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
SystemCallFilter=~@mount
# xfs_scrub needs these privileges to run, and no others
CapabilityBoundingSet=
NoNewPrivileges=true
# Failure reporting shouldn't create world-readable files
UMask=0077
# Clean up any IPC objects when this unit stops
RemoveIPC=true
# No access to hardware device files
PrivateDevices=true
ProtectClock=true
|