From: Bastian Germann <bage@debian.org>
Date: Mar, 01 2026 16:19:13 +0100
Bug-Debian: https://bugs.debian.org/1116595
Subject: reduce security lockdowns to avoid postfix problems

Apply upstream 50411335572120153cc84d54213cd5ca9dd11b14 to the other
systemd services that people might have problems with.
---
--- xfsprogs-6.18.0.orig/scrub/xfs_scrub_all.service.in
+++ xfsprogs-6.18.0/scrub/xfs_scrub_all.service.in
@@ -25,61 +25,3 @@ IOSchedulingClass=idle
 CPUSchedulingPolicy=idle
 CPUAccounting=true
 Nice=19
-
-# No realtime scheduling
-RestrictRealtime=true
-
-# No special privileges, but we still have to run as root so that we can
-# contact the service manager to start the sub-units.
-CapabilityBoundingSet=
-NoNewPrivileges=true
-RestrictSUIDSGID=true
-
-# Make the entire filesystem readonly except for the media scan stamp file
-# directory.  We don't want to hide anything because we need to find all
-# mounted XFS filesystems in the host.
-ProtectSystem=strict
-ProtectHome=read-only
-PrivateTmp=false
-BindPaths=@pkg_state_dir@
-
-# No network access except to the systemd control socket
-PrivateNetwork=true
-ProtectHostname=true
-RestrictAddressFamilies=AF_UNIX
-IPAddressDeny=any
-
-# Don't let the program mess with the kernel configuration at all
-ProtectKernelLogs=true
-ProtectKernelModules=true
-ProtectKernelTunables=true
-ProtectControlGroups=true
-ProtectProc=invisible
-RestrictNamespaces=true
-
-# Hide everything in /proc, even /proc/mounts
-ProcSubset=pid
-
-# Only allow the default personality Linux
-LockPersonality=true
-
-# No writable memory pages
-MemoryDenyWriteExecute=true
-
-# Don't let our mounts leak out to the host
-PrivateMounts=true
-
-# Restrict system calls to the native arch and only enough to get things going
-SystemCallArchitectures=native
-SystemCallFilter=@system-service
-SystemCallFilter=~@privileged
-SystemCallFilter=~@resources
-SystemCallFilter=~@mount
-
-# Media scan stamp file shouldn't be readable by regular users
-UMask=0077
-
-# lsblk ignores mountpoints if it can't find the device files, so we cannot
-# hide them
-#ProtectClock=true
-#PrivateDevices=true
--- xfsprogs-6.18.0.orig/scrub/xfs_scrub_all_fail.service.in
+++ xfsprogs-6.18.0/scrub/xfs_scrub_all_fail.service.in
@@ -14,58 +14,3 @@ ExecStart=@pkg_libexec_dir@/xfs_scrub_fa
 User=mail
 Group=mail
 SupplementaryGroups=systemd-journal
-
-# No realtime scheduling
-RestrictRealtime=true
-
-# Make the entire filesystem readonly and /home inaccessible.
-ProtectSystem=full
-ProtectHome=yes
-PrivateTmp=true
-RestrictSUIDSGID=true
-
-# Emailing reports requires network access, but not the ability to change the
-# hostname.
-ProtectHostname=true
-
-# Don't let the program mess with the kernel configuration at all
-ProtectKernelLogs=true
-ProtectKernelModules=true
-ProtectKernelTunables=true
-ProtectControlGroups=true
-ProtectProc=invisible
-RestrictNamespaces=true
-
-# Can't hide /proc because journalctl needs it to find various pieces of log
-# information
-#ProcSubset=pid
-
-# Only allow the default personality Linux
-LockPersonality=true
-
-# No writable memory pages
-MemoryDenyWriteExecute=true
-
-# Don't let our mounts leak out to the host
-PrivateMounts=true
-
-# Restrict system calls to the native arch and only enough to get things going
-SystemCallArchitectures=native
-SystemCallFilter=@system-service
-SystemCallFilter=~@privileged
-SystemCallFilter=~@resources
-SystemCallFilter=~@mount
-
-# xfs_scrub needs these privileges to run, and no others
-CapabilityBoundingSet=
-NoNewPrivileges=true
-
-# Failure reporting shouldn't create world-readable files
-UMask=0077
-
-# Clean up any IPC objects when this unit stops
-RemoveIPC=true
-
-# No access to hardware device files
-PrivateDevices=true
-ProtectClock=true