# SPDX-License-Identifier: GPL-2.0 # # Copyright (C) 2023-2024 Oracle. All Rights Reserved. # Author: Darrick J. Wong [Unit] Description=Online bcachefsck for All Filesystems OnFailure=bcachefsck_all_fail.service ConditionACPower=true Documentation=man:bcachefsck_all(8) After=paths.target multi-user.target network.target network-online.target systemd-networkd.service NetworkManager.service connman.service [Service] Type=oneshot Environment=SERVICE_MODE=1 ExecStart=bcachefsck_all SyslogIdentifier=bcachefsck_all # Create the service underneath the scrub background service slice so that we # can control resource usage. Slice=system-bcachefsck.slice # Run scrub_all with minimal CPU and IO priority so that nothing will starve. IOSchedulingClass=idle CPUSchedulingPolicy=idle CPUAccounting=true Nice=19 # No realtime scheduling RestrictRealtime=true # No special privileges, but we still have to run as root so that we can # contact the service manager to start the sub-units. CapabilityBoundingSet= NoNewPrivileges=true RestrictSUIDSGID=true # Make the entire filesystem readonly except for the media scan stamp file # directory. We don't want to hide anything because we need to find all # mounted bcachefs filesystems in the host. ProtectSystem=strict ProtectHome=read-only PrivateTmp=false # No network access except to the systemd control socket PrivateNetwork=true ProtectHostname=true RestrictAddressFamilies=AF_UNIX IPAddressDeny=any # Don't let the program mess with the kernel configuration at all ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true ProtectControlGroups=true ProtectProc=invisible RestrictNamespaces=true # Hide everything in /proc, even /proc/mounts ProcSubset=pid # Only allow the default personality Linux LockPersonality=true # No writable memory pages MemoryDenyWriteExecute=true # Don't let our mounts leak out to the host PrivateMounts=true # Restrict system calls to the native arch and only enough to get things going SystemCallArchitectures=native SystemCallFilter=@system-service SystemCallFilter=~@privileged SystemCallFilter=~@resources SystemCallFilter=~@mount # Media scan stamp file shouldn't be readable by regular users UMask=0077 # lsblk ignores mountpoints if it can't find the device files, so we cannot # hide them #ProtectClock=true #PrivateDevices=true