On Thu, May 25, 2023 at 06:55:34PM -0700, Darrick J. Wong wrote: > From: Darrick J. Wong <djwong@xxxxxxxxxx> > > Currently, xfs_scrub has to run with some elevated privileges. Minimize > the risk of xfs_scrub escaping its service container or contaminating > the rest of the system by using systemd's sandboxing controls to > prohibit as much access as possible. > > The directives added by this patch were recommended by the command > 'systemd-analyze security xfs_scrub@.service' in systemd 249. All the additional lockdowns look good: Reviewed-by: Christoph Hellwig <hch@xxxxxx> Maybe you can split the dynamic user change out as a small standalone fix, though?
