git.sesse.net Git - bcachefs-tools-debian/blob - fsck/bcachefsck@.service.in

   1 # SPDX-License-Identifier: GPL-2.0
   2 #
   3 # Copyright (C) 2023-2024 Oracle.  All Rights Reserved.
   4 # Author: Darrick J. Wong <djwong@kernel.org>
   5
   6 [Unit]
   7 Description=Online bcachefsck for %f
   8 OnFailure=bcachefsck@%i.service
   9 Documentation=man:bcachefs(8)
  10
  11 # Explicitly require the capabilities that this program needs
  12 ConditionCapability=CAP_SYS_ADMIN
  13 ConditionCapability=CAP_FOWNER
  14 ConditionCapability=CAP_DAC_OVERRIDE
  15 ConditionCapability=CAP_DAC_READ_SEARCH
  16 ConditionCapability=CAP_SYS_RAWIO
  17
  18 # Must be a mountpoint
  19 ConditionPathIsMountPoint=%f
  20 RequiresMountsFor=%f
  21
  22 [Service]
  23 Type=oneshot
  24 Environment=SERVICE_MODE=1
  25 ExecStart=bcachefs fsck --real-mountpoint /tmp/scrub/ @bcachefsck_args@ %f
  26 SyslogIdentifier=%N
  27
  28 # Run scrub with minimal CPU and IO priority so that nothing else will starve.
  29 IOSchedulingClass=idle
  30 CPUSchedulingPolicy=idle
  31 CPUAccounting=true
  32 Nice=19
  33
  34 # Create the service underneath the background service slice so that we can
  35 # control resource usage.
  36 Slice=system-bcachefsck.slice
  37
  38 # No realtime CPU scheduling
  39 RestrictRealtime=true
  40
  41 # Dynamically create a user that isn't root
  42 DynamicUser=true
  43
  44 # Make the entire filesystem readonly and /home inaccessible, then bind mount
  45 # the filesystem we're supposed to be checking into our private /tmp dir.
  46 # 'norbind' means that we don't bind anything under that original mount.
  47 # This enables checking filesystems mounted under /tmp in the global mount
  48 # namespace.
  49 ProtectSystem=strict
  50 ProtectHome=yes
  51 PrivateTmp=true
  52 BindPaths=%f:/tmp/scrub:norbind
  53
  54 # No network access
  55 PrivateNetwork=true
  56 ProtectHostname=true
  57 RestrictAddressFamilies=none
  58 IPAddressDeny=any
  59
  60 # Don't let the program mess with the kernel configuration at all
  61 ProtectKernelLogs=true
  62 ProtectKernelModules=true
  63 ProtectKernelTunables=true
  64 ProtectControlGroups=true
  65 ProtectProc=invisible
  66 RestrictNamespaces=true
  67
  68 # Hide everything in /proc, even /proc/mounts
  69 ProcSubset=pid
  70
  71 # Only allow the default personality Linux
  72 LockPersonality=true
  73
  74 # No writable memory pages
  75 MemoryDenyWriteExecute=true
  76
  77 # Don't let our mounts leak out to the host
  78 PrivateMounts=true
  79
  80 # Restrict system calls to the native arch and only enough to get things going
  81 SystemCallArchitectures=native
  82 SystemCallFilter=@system-service
  83 SystemCallFilter=~@privileged
  84 SystemCallFilter=~@resources
  85 SystemCallFilter=~@mount
  86
  87 # bcachefsck needs these privileges to run, and no others
  88 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SYS_RAWIO
  89 AmbientCapabilities=CAP_SYS_ADMIN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SYS_RAWIO
  90 NoNewPrivileges=true
  91
  92 # bcachefsck doesn't create files
  93 UMask=7777
  94
  95 # No access to hardware /dev files except for block devices
  96 ProtectClock=true
  97 DevicePolicy=closed
  98 DeviceAllow=block-*