project-lakitu/sys-apps/systemd/files/249-networkd-customization.patch - cos/overlays/board-overlays - Git at Google

 From ceaf3f9695d6e53c4e215ece01ce124952434cd2 Tue 29 Nov 00:00:00 2022
 From: Varsha Teratipally <teratipally@google.com>
 Date: Tue, 29 Nov 2022 17:13:43 +0000
 Subject: [PATCH] Return ENOSYS for filtered syscall and enable logs to console

 In glibc-2.33, faccessat wrapper is changed to call first faccessat2
 syscall and if it fails then faccessat systemcall is called. Systemd
 uses seccomp filters to filter syscalls and return EPERM if the filter
 evalutes to true. Seccomp filter denies faccessat2 and returns EPERM.
 If ENOSYS errno is returned, glibc will retry with faccessat syscall,
 which doesn't happen due to SystemCallErrorNumber=EPERM in
 systemd-udevd.service file. Changing the SystemCallErrorNumber=ENOSYS
 should work with any newly modified glibc wrappers.

 Also enable networkd logs to console.

 Permanently retry systemd-networkd service in case of failure with rate
 of 5 seconds.

 ---
  units/systemd-networkd.service.in | 5 ++++-
  1 file changed, 5 insertions(+), 1 deletion(-)

 diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
 index d15129e7f0..b888497500 100644
 --- a/units/systemd-networkd.service.in
 +++ b/units/systemd-networkd.service.in
 @@ -23,6 +23,7 @@ AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET
  BusName=org.freedesktop.network1
  CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
  DeviceAllow=char-* rw
 +Environment=SYSTEMD_LOG_TARGET=console
  ExecStart=!!{{ROOTLIBEXECDIR}}/systemd-networkd
  ExecReload=networkctl reload
  FileDescriptorStoreMax=512
 @@ -38,15 +39,17 @@ ProtectKernelModules=yes
  ProtectSystem=strict
  Restart=on-failure
  RestartKillSignal=SIGUSR2
 -RestartSec=0
 +RestartSec=5
  RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
  RestrictNamespaces=yes
  RestrictRealtime=yes
  RestrictSUIDSGID=yes
  RuntimeDirectory=systemd/netif
  RuntimeDirectoryPreserve=yes
 +StandardOutput=journal+console
 +StandardError=journal+console
  SystemCallArchitectures=native
 -SystemCallErrorNumber=EPERM
 +SystemCallErrorNumber=ENOSYS
  SystemCallFilter=@system-service
  Type=notify
  User=systemd-network
 --
 2.38.1.431.g37b22c650d-goog
	From ceaf3f9695d6e53c4e215ece01ce124952434cd2 Tue 29 Nov 00:00:00 2022
	From: Varsha Teratipally <teratipally@google.com>
	Date: Tue, 29 Nov 2022 17:13:43 +0000
	Subject: [PATCH] Return ENOSYS for filtered syscall and enable logs to console

	In glibc-2.33, faccessat wrapper is changed to call first faccessat2
	syscall and if it fails then faccessat systemcall is called. Systemd
	uses seccomp filters to filter syscalls and return EPERM if the filter
	evalutes to true. Seccomp filter denies faccessat2 and returns EPERM.
	If ENOSYS errno is returned, glibc will retry with faccessat syscall,
	which doesn't happen due to SystemCallErrorNumber=EPERM in
	systemd-udevd.service file. Changing the SystemCallErrorNumber=ENOSYS
	should work with any newly modified glibc wrappers.

	Also enable networkd logs to console.

	Permanently retry systemd-networkd service in case of failure with rate
	of 5 seconds.

	---
	units/systemd-networkd.service.in \| 5 ++++-
	1 file changed, 5 insertions(+), 1 deletion(-)

	diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
	index d15129e7f0..b888497500 100644
	--- a/units/systemd-networkd.service.in
	+++ b/units/systemd-networkd.service.in
	@@ -23,6 +23,7 @@ AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET
	BusName=org.freedesktop.network1
	CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
	DeviceAllow=char-* rw
	+Environment=SYSTEMD_LOG_TARGET=console
	ExecStart=!!{{ROOTLIBEXECDIR}}/systemd-networkd
	ExecReload=networkctl reload
	FileDescriptorStoreMax=512
	@@ -38,15 +39,17 @@ ProtectKernelModules=yes
	ProtectSystem=strict
	Restart=on-failure
	RestartKillSignal=SIGUSR2
	-RestartSec=0
	+RestartSec=5
	RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
	RestrictNamespaces=yes
	RestrictRealtime=yes
	RestrictSUIDSGID=yes
	RuntimeDirectory=systemd/netif
	RuntimeDirectoryPreserve=yes
	+StandardOutput=journal+console
	+StandardError=journal+console
	SystemCallArchitectures=native
	-SystemCallErrorNumber=EPERM
	+SystemCallErrorNumber=ENOSYS
	SystemCallFilter=@system-service
	Type=notify
	User=systemd-network
	--
	2.38.1.431.g37b22c650d-goog