| From 7f24eb3b71bee502e365f0db251e65fd857b5062 Tue Apr 17 00:00:00 2022 |
| From: Meena Shanmugam <meenashanmugam@google.com> |
| Date: Tue, 12 Apr 2022 17:13:43 +0000 |
| Subject: [PATCH] Return ENOSYS for filtered syscall. |
| |
| In glibc-2.33, faccessat wrapper is changed to call first faccessat2 |
| syscall and if it fails then faccessat systemcall is called. Systemd |
| uses seccomp filters to filter syscalls and return EPERM if the filter |
| evalutes to true. Seccomp filter denies faccessat2 and returns EPERM. |
| If ENOSYS errno is returned, glibc will retry with faccessat syscall, |
| which doesn't happen due to SystemCallErrorNumber=EPERM in |
| systemd-udevd.service file. Changing the SystemCallErrorNumber=ENOSYS |
| should work with any newly modified glibc wrappers. |
| |
| --- |
| units/systemd-udevd.service.in | 2 ++-- |
| 1 file changed, 1 insertions(+), 1 deletions(-) |
| |
| diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in |
| index c146b0f..ef7276f 100644 |
| --- a/units/systemd-udevd.service.in |
| +++ b/units/systemd-udevd.service.in |
| @@ -36,7 +36,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 |
| RestrictRealtime=yes |
| RestrictSUIDSGID=yes |
| SystemCallFilter=@system-service @module @raw-io bpf |
| -SystemCallErrorNumber=EPERM |
| +SystemCallErrorNumber=ENOSYS |
| SystemCallArchitectures=native |
| LockPersonality=yes |
| IPAddressDeny=any |
| -- |
| 2.35.1.1094.g7c7d902a7c-goog |
| |