From: Carlos Maiolino <cem@kernel.org>
Date: Tue, 6 Aug 2024 13:48:23 +0000 (+0200)
Subject: Merge tag 'scrub-service-security-6.10_2024-07-29' of https://git.kernel.org/pub... 
X-Git-Tag: v6.10.0~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aa9a4293b44b3f579c64f550c6551b3483d06d04;p=thirdparty%2Fxfsprogs-dev.git

Merge tag 'scrub-service-security-6.10_2024-07-29' of https://git.kernel.org/pub/scm/linux/kernel/git/djwong/xfsprogs-dev into for-next

xfs_scrub: tighten security of systemd services [v30.9 14/28]

To reduce the risk of the online fsck service suffering some sort of
catastrophic breach that results in attackers reconfiguring the running
system, I embarked on a security audit of the systemd service files.
The result should be that all elements of the background service
(individual scrub jobs, the scrub_all initiator, and the failure
reporting) run with as few privileges and within as strong of a sandbox
as possible.

Granted, this does nothing about the potential for the /kernel/ screwing
up, but at least we could prevent obvious container escapes.

This has been running on the djcloud for months with no problems.  Enjoy!

Signed-off-by: Darrick J. Wong <djwong@kernel.org>
---

aa9a4293b44b3f579c64f550c6551b3483d06d04