Add more syscalls to the allow list (fixes #2022961)

It tried to debug this, but it's not easy. Things happen very early in glibc initialization, too quickly after fork for strace to show. After looking at the changes in glibc, the reason why mprotect(2) seems easy, I also filed a pull request to add it to @default filter in systemd. setsid is called from the daemonization code, but I'm not sure why it didn't cause an issue earlier. Either new syscalls are called, or something changed in error handling…
2021-11-13 16:16:49 +01:00 · 2021-11-13 16:16:49 +01:00 · eb00aaa037
commit eb00aaa037
parent b163339baf
1 changed files with 2 additions and 1 deletions
--- a/gpm.service
+++ b/gpm.service
@ -20,7 +20,8 @@ PrivateNetwork=yes
 CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SYS_ADMIN
 DeviceAllow=char-tty
 DeviceAllow=char-input
-SystemCallFilter=@basic-io @io-event @network-io @file-system @process ioctl
+# See also https://github.com/systemd/systemd/pull/21350
+SystemCallFilter=@basic-io @io-event @network-io @file-system @process @signal ioctl mprotect setsid
 SystemCallArchitectures=native
 SystemCallErrorNumber=EPERM
 RestrictAddressFamilies=AF_UNIX