Add more syscalls to the allow list (fixes #2022961)
It tried to debug this, but it's not easy. Things happen very early in glibc initialization, too quickly after fork for strace to show. After looking at the changes in glibc, the reason why mprotect(2) seems easy, I also filed a pull request to add it to @default filter in systemd. setsid is called from the daemonization code, but I'm not sure why it didn't cause an issue earlier. Either new syscalls are called, or something changed in error handling…
This commit is contained in:
parent
b163339baf
commit
eb00aaa037
@ -20,7 +20,8 @@ PrivateNetwork=yes
|
|||||||
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SYS_ADMIN
|
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SYS_ADMIN
|
||||||
DeviceAllow=char-tty
|
DeviceAllow=char-tty
|
||||||
DeviceAllow=char-input
|
DeviceAllow=char-input
|
||||||
SystemCallFilter=@basic-io @io-event @network-io @file-system @process ioctl
|
# See also https://github.com/systemd/systemd/pull/21350
|
||||||
|
SystemCallFilter=@basic-io @io-event @network-io @file-system @process @signal ioctl mprotect setsid
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
SystemCallErrorNumber=EPERM
|
SystemCallErrorNumber=EPERM
|
||||||
RestrictAddressFamilies=AF_UNIX
|
RestrictAddressFamilies=AF_UNIX
|
||||||
|
Loading…
Reference in New Issue
Block a user