eb00aaa037
It tried to debug this, but it's not easy. Things happen very early in glibc initialization, too quickly after fork for strace to show. After looking at the changes in glibc, the reason why mprotect(2) seems easy, I also filed a pull request to add it to @default filter in systemd. setsid is called from the daemonization code, but I'm not sure why it didn't cause an issue earlier. Either new syscalls are called, or something changed in error handling…
34 lines
1012 B
Desktop File
34 lines
1012 B
Desktop File
[Unit]
|
|
Description=Console Mouse Manager
|
|
ConditionVirtualization=!container
|
|
|
|
# This could probably benefit from socket activation, but honestly I think it
|
|
# is time for gpm to go away, and hence I am not planning to spend the time
|
|
# to add socket activation here.
|
|
|
|
[Service]
|
|
ExecStart=gpm -m /dev/input/mice -t exps2
|
|
Type=forking
|
|
PIDFile=/run/gpm.pid
|
|
|
|
ProtectSystem=full
|
|
ProtectHome=yes
|
|
ProtectProc=invisible
|
|
ProtectControlGroups=yes
|
|
ProtectKernelTunables=yes
|
|
PrivateNetwork=yes
|
|
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SYS_ADMIN
|
|
DeviceAllow=char-tty
|
|
DeviceAllow=char-input
|
|
# See also https://github.com/systemd/systemd/pull/21350
|
|
SystemCallFilter=@basic-io @io-event @network-io @file-system @process @signal ioctl mprotect setsid
|
|
SystemCallArchitectures=native
|
|
SystemCallErrorNumber=EPERM
|
|
RestrictAddressFamilies=AF_UNIX
|
|
|
|
# Note that "special commands" are disallowed by default.
|
|
# To enable, add '-S' to ExecStart= line, and tweak the SystemCallFilter= as appropriate.
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|