Hi Carlos, Please pull this branch with changes for xfsprogs for 6.10-rc1. As usual, I did a test-merge with the main upstream branch as of a few minutes ago, and didn't see any conflicts. Please let me know if you encounter any problems. The following changes since commit 34bed605490f936c3ead49e2e1cad78505260461: xfs_scrub: tune fstrim minlen parameter based on free space histograms (2024-07-29 17:01:09 -0700) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/djwong/xfsprogs-dev.git tags/scrub-service-security-6.10_2024-07-29 for you to fetch changes up to 50411335572120153cc84d54213cd5ca9dd11b14: xfs_scrub_all: tighten up the security on the background systemd service (2024-07-29 17:01:10 -0700) ---------------------------------------------------------------- xfs_scrub: tighten security of systemd services [v30.9 14/28] To reduce the risk of the online fsck service suffering some sort of catastrophic breach that results in attackers reconfiguring the running system, I embarked on a security audit of the systemd service files. The result should be that all elements of the background service (individual scrub jobs, the scrub_all initiator, and the failure reporting) run with as few privileges and within as strong of a sandbox as possible. Granted, this does nothing about the potential for the /kernel/ screwing up, but at least we could prevent obvious container escapes. This has been running on the djcloud for months with no problems. Enjoy! Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx> ---------------------------------------------------------------- Darrick J. Wong (6): xfs_scrub: allow auxiliary pathnames for sandboxing xfs_scrub.service: reduce background CPU usage to less than one core if possible xfs_scrub: use dynamic users when running as a systemd service xfs_scrub: tighten up the security on the background systemd service xfs_scrub_fail: tighten up the security on the background systemd service xfs_scrub_all: tighten up the security on the background systemd service man/man8/xfs_scrub.8 | 9 +++- scrub/Makefile | 7 ++- scrub/phase1.c | 4 +- scrub/system-xfs_scrub.slice | 30 +++++++++++++ scrub/vfs.c | 2 +- scrub/xfs_scrub.c | 11 +++-- scrub/xfs_scrub.h | 5 ++- scrub/xfs_scrub@xxxxxxxxxxx | 97 +++++++++++++++++++++++++++++++++++----- scrub/xfs_scrub_all.service.in | 66 +++++++++++++++++++++++++++ scrub/xfs_scrub_fail@xxxxxxxxxxx | 59 ++++++++++++++++++++++++ 10 files changed, 270 insertions(+), 20 deletions(-) create mode 100644 scrub/system-xfs_scrub.slice
