diff options
author | Maciek Borzecki <maciek.borzecki@gmail.com> | 2021-11-30 11:07:30 +0100 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-12-07 07:37:54 +0100 |
commit | 0ddd608a6ddcd095d378510c7096ee979741046d (patch) | |
tree | 96f5f02b95c22f87d3384d1c12b9878aab92412d /units/systemd-udevd.service.in | |
parent | f66d548c1aa54bb6e9514e7e281c83bd2a8128b6 (diff) | |
download | systemd-0ddd608a6ddcd095d378510c7096ee979741046d.tar.gz |
units/systemd-udevd: allow bpf() syscall
Programs run by udev triggers may need to execute the bpf() syscall. Even more
so, since on a cgroup v2 system, the only way to set up device access filtering
is to install a BPF program on the cgroup in question and one way of passing
data to such program is through BPF maps, which can only be access using the
bpf() syscall. One such use case was identified in RHBZ#2025264 related to
snap-device-helper, and led to RHBZ#2027627 being filed.
Unfortunately there is no finer grained control over what gets passed in the
syscall, so just enable bpf() and leave fine grained mediation to other
security layers (eg. SELinux).
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2027627
Signed-off-by: Maciek Borzecki <maciek.borzecki@gmail.com>
Diffstat (limited to 'units/systemd-udevd.service.in')
-rw-r--r-- | units/systemd-udevd.service.in | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index c146b0f7f8..d042bfb0d3 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -35,7 +35,7 @@ MemoryDenyWriteExecute=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 RestrictRealtime=yes RestrictSUIDSGID=yes -SystemCallFilter=@system-service @module @raw-io +SystemCallFilter=@system-service @module @raw-io bpf SystemCallErrorNumber=EPERM SystemCallArchitectures=native LockPersonality=yes |