[GIT PULL 14/23] xfs_scrub: tighten security of systemd services

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Carlos,

Please pull this branch with changes for xfsprogs for 6.10-rc1.

As usual, I did a test-merge with the main upstream branch as of a few
minutes ago, and didn't see any conflicts.  Please let me know if you
encounter any problems.

The following changes since commit 34bed605490f936c3ead49e2e1cad78505260461:

xfs_scrub: tune fstrim minlen parameter based on free space histograms (2024-07-29 17:01:09 -0700)

are available in the Git repository at:

https://git.kernel.org/pub/scm/linux/kernel/git/djwong/xfsprogs-dev.git tags/scrub-service-security-6.10_2024-07-29

for you to fetch changes up to 50411335572120153cc84d54213cd5ca9dd11b14:

xfs_scrub_all: tighten up the security on the background systemd service (2024-07-29 17:01:10 -0700)

----------------------------------------------------------------
xfs_scrub: tighten security of systemd services [v30.9 14/28]

To reduce the risk of the online fsck service suffering some sort of
catastrophic breach that results in attackers reconfiguring the running
system, I embarked on a security audit of the systemd service files.
The result should be that all elements of the background service
(individual scrub jobs, the scrub_all initiator, and the failure
reporting) run with as few privileges and within as strong of a sandbox
as possible.

Granted, this does nothing about the potential for the /kernel/ screwing
up, but at least we could prevent obvious container escapes.

This has been running on the djcloud for months with no problems.  Enjoy!

Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx>

----------------------------------------------------------------
Darrick J. Wong (6):
xfs_scrub: allow auxiliary pathnames for sandboxing
xfs_scrub.service: reduce background CPU usage to less than one core if possible
xfs_scrub: use dynamic users when running as a systemd service
xfs_scrub: tighten up the security on the background systemd service
xfs_scrub_fail: tighten up the security on the background systemd service
xfs_scrub_all: tighten up the security on the background systemd service

man/man8/xfs_scrub.8             |  9 +++-
scrub/Makefile                   |  7 ++-
scrub/phase1.c                   |  4 +-
scrub/system-xfs_scrub.slice     | 30 +++++++++++++
scrub/vfs.c                      |  2 +-
scrub/xfs_scrub.c                | 11 +++--
scrub/xfs_scrub.h                |  5 ++-
scrub/xfs_scrub@xxxxxxxxxxx      | 97 +++++++++++++++++++++++++++++++++++-----
scrub/xfs_scrub_all.service.in   | 66 +++++++++++++++++++++++++++
scrub/xfs_scrub_fail@xxxxxxxxxxx | 59 ++++++++++++++++++++++++
10 files changed, 270 insertions(+), 20 deletions(-)
create mode 100644 scrub/system-xfs_scrub.slice





[Index of Archives]     [XFS Filesystem Development (older mail)]     [Linux Filesystem Development]     [Linux Audio Users]     [Yosemite Trails]     [Linux Kernel]     [Linux RAID]     [Linux SCSI]


  Powered by Linux