# SPDX-License-Identifier: GPL-2.0
#
# Copyright (C) 2023-2024 Oracle.  All Rights Reserved.
# Author: Darrick J. Wong <djwong@kernel.org>

[Unit]
Description=Online bcachefsck Failure Reporting for %f
Documentation=man:bcachefs(8)

[Service]
Type=oneshot
Environment=EMAIL_ADDR=root
ExecStart=@libexecdir@/bcachefsck_fail "${EMAIL_ADDR}" bcachefs %f
User=mail
Group=mail
SupplementaryGroups=systemd-journal

# Create the service underneath the background service slice so that we can
# control resource usage.
Slice=system-bcachefsck.slice

# No realtime scheduling
RestrictRealtime=true

# Make the entire filesystem readonly and /home inaccessible.
ProtectSystem=full
ProtectHome=yes
PrivateTmp=true
RestrictSUIDSGID=true

# Emailing reports requires network access, but not the ability to change the
# hostname.
ProtectHostname=true

# Don't let the program mess with the kernel configuration at all
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
ProtectProc=invisible
RestrictNamespaces=true

# Can't hide /proc because journalctl needs it to find various pieces of log
# information
#ProcSubset=pid

# Only allow the default personality Linux
LockPersonality=true

# No writable memory pages
MemoryDenyWriteExecute=true

# Don't let our mounts leak out to the host
PrivateMounts=true

# Restrict system calls to the native arch and only enough to get things going
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
SystemCallFilter=~@mount

# xfs_scrub needs these privileges to run, and no others
CapabilityBoundingSet=
NoNewPrivileges=true

# Failure reporting shouldn't create world-readable files
UMask=0077

# Clean up any IPC objects when this unit stops
RemoveIPC=true

# No access to hardware device files
PrivateDevices=true
ProtectClock=true