On Tue, Nov 07, 2023 at 12:52:33AM -0800, Christoph Hellwig wrote: > On Thu, May 25, 2023 at 06:55:34PM -0700, Darrick J. Wong wrote: > > From: Darrick J. Wong <djwong@xxxxxxxxxx> > > > > Currently, xfs_scrub has to run with some elevated privileges. Minimize > > the risk of xfs_scrub escaping its service container or contaminating > > the rest of the system by using systemd's sandboxing controls to > > prohibit as much access as possible. > > > > The directives added by this patch were recommended by the command > > 'systemd-analyze security xfs_scrub@.service' in systemd 249. > > All the additional lockdowns look good: > > Reviewed-by: Christoph Hellwig <hch@xxxxxx> > > Maybe you can split the dynamic user change out as a small standalone > fix, though? I'll do that, and credit the person who asked us to do that. Thanks for the review, systemd directives are overwhelming. :) --D
