1 # SPDX-License-Identifier: GPL-2.0
3 # Copyright (C) 2023-2024 Oracle. All Rights Reserved.
4 # Author: Darrick J. Wong <djwong@kernel.org>
7 Description=Online bcachefsck for %f
8 OnFailure=bcachefsck@%i.service
9 Documentation=man:bcachefs(8)
11 # Explicitly require the capabilities that this program needs
12 ConditionCapability=CAP_SYS_ADMIN
13 ConditionCapability=CAP_FOWNER
14 ConditionCapability=CAP_DAC_OVERRIDE
15 ConditionCapability=CAP_DAC_READ_SEARCH
16 ConditionCapability=CAP_SYS_RAWIO
18 # Must be a mountpoint
19 ConditionPathIsMountPoint=%f
24 Environment=SERVICE_MODE=1
25 ExecStart=bcachefs fsck --real-mountpoint /tmp/scrub/ @bcachefsck_args@ %f
28 # Run scrub with minimal CPU and IO priority so that nothing else will starve.
29 IOSchedulingClass=idle
30 CPUSchedulingPolicy=idle
34 # Create the service underneath the background service slice so that we can
35 # control resource usage.
36 Slice=system-bcachefsck.slice
38 # No realtime CPU scheduling
41 # Dynamically create a user that isn't root
44 # Make the entire filesystem readonly and /home inaccessible, then bind mount
45 # the filesystem we're supposed to be checking into our private /tmp dir.
46 # 'norbind' means that we don't bind anything under that original mount.
47 # This enables checking filesystems mounted under /tmp in the global mount
52 BindPaths=%f:/tmp/scrub:norbind
57 RestrictAddressFamilies=none
60 # Don't let the program mess with the kernel configuration at all
61 ProtectKernelLogs=true
62 ProtectKernelModules=true
63 ProtectKernelTunables=true
64 ProtectControlGroups=true
66 RestrictNamespaces=true
68 # Hide everything in /proc, even /proc/mounts
71 # Only allow the default personality Linux
74 # No writable memory pages
75 MemoryDenyWriteExecute=true
77 # Don't let our mounts leak out to the host
80 # Restrict system calls to the native arch and only enough to get things going
81 SystemCallArchitectures=native
82 SystemCallFilter=@system-service
83 SystemCallFilter=~@privileged
84 SystemCallFilter=~@resources
85 SystemCallFilter=~@mount
87 # bcachefsck needs these privileges to run, and no others
88 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SYS_RAWIO
89 AmbientCapabilities=CAP_SYS_ADMIN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SYS_RAWIO
92 # bcachefsck doesn't create files
95 # No access to hardware /dev files except for block devices