1 # SPDX-License-Identifier: GPL-2.0
3 # Copyright (C) 2023-2024 Oracle. All Rights Reserved.
4 # Author: Darrick J. Wong <djwong@kernel.org>
7 Description=Online bcachefsck for All Filesystems
8 OnFailure=bcachefsck_all_fail.service
10 Documentation=man:bcachefsck_all(8)
11 After=paths.target multi-user.target network.target network-online.target systemd-networkd.service NetworkManager.service connman.service
15 Environment=SERVICE_MODE=1
16 ExecStart=bcachefsck_all
17 SyslogIdentifier=bcachefsck_all
19 # Create the service underneath the scrub background service slice so that we
20 # can control resource usage.
21 Slice=system-bcachefsck.slice
23 # Run scrub_all with minimal CPU and IO priority so that nothing will starve.
24 IOSchedulingClass=idle
25 CPUSchedulingPolicy=idle
29 # No realtime scheduling
32 # No special privileges, but we still have to run as root so that we can
33 # contact the service manager to start the sub-units.
34 CapabilityBoundingSet=
38 # Make the entire filesystem readonly except for the media scan stamp file
39 # directory. We don't want to hide anything because we need to find all
40 # mounted bcachefs filesystems in the host.
45 # No network access except to the systemd control socket
48 RestrictAddressFamilies=AF_UNIX
51 # Don't let the program mess with the kernel configuration at all
52 ProtectKernelLogs=true
53 ProtectKernelModules=true
54 ProtectKernelTunables=true
55 ProtectControlGroups=true
57 RestrictNamespaces=true
59 # Hide everything in /proc, even /proc/mounts
62 # Only allow the default personality Linux
65 # No writable memory pages
66 MemoryDenyWriteExecute=true
68 # Don't let our mounts leak out to the host
71 # Restrict system calls to the native arch and only enough to get things going
72 SystemCallArchitectures=native
73 SystemCallFilter=@system-service
74 SystemCallFilter=~@privileged
75 SystemCallFilter=~@resources
76 SystemCallFilter=~@mount
78 # Media scan stamp file shouldn't be readable by regular users
81 # lsblk ignores mountpoints if it can't find the device files, so we cannot