units/systemd-udevd: allow bpf() syscall

Programs run by udev triggers may need to execute the bpf() syscall. Even more
so, since on a cgroup v2 system, the only way to set up device access filtering
is to install a BPF program on the cgroup in question and one way of passing
data to such program is through BPF maps, which can only be access using the
bpf() syscall. One such use case was identified in RHBZ#2025264 related to
snap-device-helper, and led to RHBZ#2027627 being filed.

Unfortunately there is no finer grained control over what gets passed in the
syscall, so just enable bpf() and leave fine grained mediation to other
security layers (eg. SELinux).

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2027627
Signed-off-by: Maciek Borzecki <maciek.borzecki@gmail.com>

diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index c146b0f7f85d75bd64253e609f7cfe5070dc706c..d042bfb0d3b58e1805756f63461563693db0556d 100644 (file)
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -35,7 +35,7 @@ MemoryDenyWriteExecute=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
-SystemCallFilter=@system-service @module @raw-io
+SystemCallFilter=@system-service @module @raw-io bpf
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes