Add more syscalls to the allow list (fixes #2022961)

It tried to debug this, but it's not easy. Things happen very early in
glibc initialization, too quickly after fork for strace to show. After looking
at the changes in glibc, the reason why mprotect(2) seems easy, I also filed a
pull request to add it to @default filter in systemd. setsid is called from the
daemonization code, but I'm not sure why it didn't cause an issue earlier. Either
new syscalls are called, or something changed in error handling…
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2021-11-13 16:16:49 +01:00
parent b163339baf
commit eb00aaa037

View File

@ -20,7 +20,8 @@ PrivateNetwork=yes
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SYS_ADMIN CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SYS_ADMIN
DeviceAllow=char-tty DeviceAllow=char-tty
DeviceAllow=char-input DeviceAllow=char-input
SystemCallFilter=@basic-io @io-event @network-io @file-system @process ioctl # See also https://github.com/systemd/systemd/pull/21350
SystemCallFilter=@basic-io @io-event @network-io @file-system @process @signal ioctl mprotect setsid
SystemCallArchitectures=native SystemCallArchitectures=native
SystemCallErrorNumber=EPERM SystemCallErrorNumber=EPERM
RestrictAddressFamilies=AF_UNIX RestrictAddressFamilies=AF_UNIX